For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

werner_v_113449's avatar
werner_v_113449
Icon for Nimbostratus rankNimbostratus
Apr 11, 2018

irule for rate limit based on http error codes & client ip

Hi ,   I'm looking for an 1 irule (or maybe 2 combined) to rate limit http response error codes coming from same client .   What we want to create is a check where a client that is coming is i...
application delivery
BIG-IP
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 11, 2018

Hello,

So I made you a little Irule that already use long time agou 🙂 for ddos (because my customer had not asm...).

As you can notice I use table/subtable, it's a simple and effective way to store information.

For the blocage you can respond a specific message or sen an reject/drop.

You can too add blocage for other response and modify time for blocage or occurence...

So keep me in touch

when HTTP_REQUEST {
set clientip [IP::client_addr]
set incrementvalue [table lookup -notouch -subtable  restriction $clientip]
log local0. "$incrementvalue"

if {$incrementvalue > 2} {
        HTTP::respond 200 content "Reject bla bla bla"
        reject
}

}

when HTTP_RESPONSE {

set httpstatus [HTTP::status] 

 for information you can add additional status in order to block it, example 500
if { ($httpstatus starts_with "4") } {

    if {$incrementvalue == ""} {
        table set -subtable restriction $clientip 1 3600
    } else {
        set incrementvalue  "[expr ($incrementvalue + 1)]"
        table set -subtable restriction $clientip $incrementvalue 3600
    }

}

}