Forum Discussion

raydakis's avatar
raydakis
Icon for Altocumulus rankAltocumulus
Oct 27, 2023

HTTP Post Flood mitigation with LTM

Hello, Im using TMOS : 16.1.4 with LTM module only. I want to block IP addresses if HTTP POST requests on login page goes over some limit in specified period of time. for example if user send 10 "...
application delivery
HTTP Post Flood mitigation with LTM
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Oct 29, 2023

    Hi, here is your overly complicated iRule 😉

    when RULE_INIT {
    set static::maxReqs 10;
    set static::timeout 30;
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::method]] equals "post" } { 
        
        # The following expects the IP addresses in multiple X-forwarded-for headers.  It picks the first one.
        if { [HTTP::header exists X-forwarded-for] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        
        set getcount [table lookup -notouch $client_IP_addr]
        if { $getcount equals "" } {
            table set $client_IP_addr "1" $static::timeout $static::timeout
            # record of this session does not exist, starting new record, request is allowed.
        } else {
            if { $getcount < $static::maxReqs } {
                table incr -notouch $client_IP_addr
                # record of this session exists but request is allowed
            } else {
                HTTP::respond 403 content {
                    <html>
                    <head><title>HTTP Request denied</title></head>
                    <body>Your HTTP POST requests are being throttled.</body>
                    </html>
                }
            }
        }
    }
}

    Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html

    Have fun,

         --Niels

Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP

Hi, here is your overly complicated iRule 😉

when RULE_INIT {
    set static::maxReqs 10;
    set static::timeout 30;
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::method]] equals "post" } { 
        
        # The following expects the IP addresses in multiple X-forwarded-for headers.  It picks the first one.
        if { [HTTP::header exists X-forwarded-for] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        
        set getcount [table lookup -notouch $client_IP_addr]
        if { $getcount equals "" } {
            table set $client_IP_addr "1" $static::timeout $static::timeout
            # record of this session does not exist, starting new record, request is allowed.
        } else {
            if { $getcount < $static::maxReqs } {
                table incr -notouch $client_IP_addr
                # record of this session exists but request is allowed
            } else {
                HTTP::respond 403 content {
                    <html>
                    <head><title>HTTP Request denied</title></head>
                    <body>Your HTTP POST requests are being throttled.</body>
                    </html>
                }
            }
        }
    }
}

Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html

Have fun,

     --Niels

raydakis's avatar
raydakis
Icon for Altocumulus rankAltocumulus
Oct 30, 2023

Hello Niels,

i'll try this irule in my labs environnement this week.

Thanks 👍

raydakis