Forum Discussion
raydakis
Altocumulus
AltocumulusHTTP Post Flood mitigation with LTM
Hello, Im using TMOS : 16.1.4 with LTM module only. I want to block IP addresses if HTTP POST requests on login page goes over some limit in specified period of time. for example if user send 10 "...
Hi, here is your overly complicated iRule 😉
when RULE_INIT { set static::maxReqs 10; set static::timeout 30; } when HTTP_REQUEST { if { [string tolower [HTTP::method]] equals "post" } { # The following expects the IP addresses in multiple X-forwarded-for headers. It picks the first one. if { [HTTP::header exists X-forwarded-for] } { set client_IP_addr [getfield [lindex [HTTP::header values X-Forwarded-For] 0] "," 1] } else { set client_IP_addr [IP::client_addr] } set getcount [table lookup -notouch $client_IP_addr] if { $getcount equals "" } { table set $client_IP_addr "1" $static::timeout $static::timeout # record of this session does not exist, starting new record, request is allowed. } else { if { $getcount < $static::maxReqs } { table incr -notouch $client_IP_addr # record of this session exists but request is allowed } else { HTTP::respond 403 content { <html> <head><title>HTTP Request denied</title></head> <body>Your HTTP POST requests are being throttled.</body> </html> } } } } }Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html
Have fun,
--Niels
Hi, here is your overly complicated iRule 😉
when RULE_INIT {
set static::maxReqs 10;
set static::timeout 30;
}
when HTTP_REQUEST {
if { [string tolower [HTTP::method]] equals "post" } {
# The following expects the IP addresses in multiple X-forwarded-for headers. It picks the first one.
if { [HTTP::header exists X-forwarded-for] } {
set client_IP_addr [getfield [lindex [HTTP::header values X-Forwarded-For] 0] "," 1]
} else {
set client_IP_addr [IP::client_addr]
}
set getcount [table lookup -notouch $client_IP_addr]
if { $getcount equals "" } {
table set $client_IP_addr "1" $static::timeout $static::timeout
# record of this session does not exist, starting new record, request is allowed.
} else {
if { $getcount < $static::maxReqs } {
table incr -notouch $client_IP_addr
# record of this session exists but request is allowed
} else {
HTTP::respond 403 content {
<html>
<head><title>HTTP Request denied</title></head>
<body>Your HTTP POST requests are being throttled.</body>
</html>
}
}
}
}
}Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html
Have fun,
--Niels
raydakisAltocumulus
AltocumulusHello Niels,
i'll try this irule in my labs environnement this week.
Thanks 👍
raydakis
