irule for rate limit based on http error codes & client ip

Hello,

When you tell comming from the same client. You talk about this source IP address?

regards

yes,

same client IP can get 2 * 400 error in a given timeframe . If it's exceeded , client IP needs to be blocked for a given time for avoiding retries.

After given time, all can be rest again .

We use some client IP rate limit irule . But they are simply based on client IP and how many times client IP is hitting specific Virtual Server/Uri . But here we need to count the http response error code . And block client IP if it get the same error page more than 2 times in specific timeframe.

Hello,

So I made you a little Irule that already use long time agou 🙂 for ddos (because my customer had not asm...).

As you can notice I use table/subtable, it's a simple and effective way to store information.

For the blocage you can respond a specific message or sen an reject/drop.

You can too add blocage for other response and modify time for blocage or occurence...

So keep me in touch

when HTTP_REQUEST {
set clientip [IP::client_addr]
set incrementvalue [table lookup -notouch -subtable  restriction $clientip]
log local0. "$incrementvalue"

if {$incrementvalue > 2} {
        HTTP::respond 200 content "Reject bla bla bla"
        reject
}

}

when HTTP_RESPONSE {

set httpstatus [HTTP::status] 

 for information you can add additional status in order to block it, example 500
if { ($httpstatus starts_with "4") } {

    if {$incrementvalue == ""} {
        table set -subtable restriction $clientip 1 3600
    } else {
        set incrementvalue  "[expr ($incrementvalue + 1)]"
        table set -subtable restriction $clientip $incrementvalue 3600
    }

}

}