For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bruno_Esteves_2's avatar
Bruno_Esteves_2
Icon for Nimbostratus rankNimbostratus
Dec 04, 2015

iRule - URI/Referer Rate limit per minute

Dears,   We have a customer which is getting some troubles with access coming from an specific referer/uri. These access are overloading the application, causing a lot of troubles to the business. ...
ASM Advanced WAF
devops
irule
iRules
LTM
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jun 01, 2016

Hi,

Here a working irule (inspired by http request throttle irule) : 

when RULE_INIT {
    set static::maxReqs 3;
    set static::timeout 60;
}

when HTTP_REQUEST {
        if { [HTTP::header exists "X-Forwarded-For"] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        if { ([HTTP::method] eq "GET") and ([class match [string tolower [HTTP::uri]] ends_with URI_LIST_TO_LIMIT] ) } {

            whitelist
            if { [class match [IP::client_addr] equals ips_whitelist] }{
               return
            }
            set getcount [table lookup -notouch "$client_IP_addr:[HTTP::uri]"]
            if { $getcount equals "" } {
                table set "$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch "$client_IP_addr:[HTTP::uri]"
                } else {
                    reject
                }
            }
        }
}
  • Bruno_Esteves_2's avatar
    Bruno_Esteves_2
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2017

    Dears,

    I'm trying to include a sliding window of time to counting requests. (e.g. if we have 8 req in 60 sec, block for 600 sec.)

    So, I did change ($static::timeout $static::timeout) to ($static::timeout $static::winsec) and include this variable (set static::winsec 60). But, didn't work. Have I missed something here ?

    Here a working iRule that in using:

    when HTTP_REQUEST {

if { [HTTP::uri] ends_with "/URI" and [HTTP::method] eq "POST"}{

    set static::maxRate 8
    set static::timeout 600
    set client_IP_addr [IP::client_addr]

    set getcount [table lookup -notouch "$client_IP_addr:[HTTP::uri]"]
    if { $getcount equals "" } {
    table set "$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
    } else {
    if { $getcount < $static::maxRate } {
    table incr -notouch "$client_IP_addr:[HTTP::uri]"
    } else {
    log -noname local0. "REQUEST Rejected: current requestCount for $client_IP_addr"
    reject
}
}
}
}

    Cheers, Bruno