Forum Discussion

bezeqint's avatar
bezeqint
Icon for Nimbostratus rankNimbostratus
Mar 06, 2012

iRule to mitigate attack

hello,

 

 

i need to protect mail servers from a virus attack.

 

we have a network with users. some of them are using the mail servers, some of them are attacking the mail servers. we see that some users create 4000 short connection to the mail servers - the concurrent connection for each user is 1.

 

 

what i would like to do is:

 

1. if a user a part of a network that belongs to a group, he can open, lets say, 10 new connections per second (not concurrent! the rate of opening a tcp connection - a user can keep 500 connections, but can create only 10 new per second)

 

2. the rest of the users can open connections at any rate.

 

 

can i do that using iRule?

 

can iRule limit the rate of opening new connections?

 

 

how do i write something like that?

 

 

application delivery
dev
devops
iRules
  • koenning_107182's avatar
    koenning_107182
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2012
    Hi,

     

     

    have a look here, where hoolio is showing a clever example to rate limit new connections.

     

    https://devcentral.f5.com/wiki/iRul...ables.ashx

     

     

    You could just change the logic of this that you move the code in the CLEINT_ACCEPTED event into the if statement, so you can have a client greylist, in which you put your networks.

     

     

    if you want to add the limit concurrency from clients, this thread is a good start:

     

    https://devcentral.f5.com/Community...fault.aspx

     

     

    Hope this helps,

     

     

    Christian
  • bezeqint's avatar
    bezeqint
    Icon for Nimbostratus rankNimbostratus
    Mar 07, 2012
    the first link limit connection per virt - this is not what i'm looking for.

    the second link is much better.

    i've edit the irule and it looks something like this:

    what happend to other networks (outside the datagroup)? they wont be limited? 

     
 Data group mapping hosts/networks to connection limit values
class conn_limit_dg {
   network 10.0.0.0/8 { "2" }
}

when RULE_INIT {
     This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds
    set static::windowSecs 3
}
when CLIENT_ACCEPTED {

     Max connections per client IP
    set limit [class match -value [IP::client_addr] equals conn_limit_dg]
    log local0. "[IP::client_addr]: \$limit: $limit"

     Check if client IP is in the connection limit data group and the request is a GET
    if { $limit ne "" } {
        set getCount [table key -count -subtable [IP::client_addr]]
        log local0. "[IP::client_addr]: getCount=$getCount"
        if { $getCount < $limit} {
            incr getCount 1
            table set -subtable [IP::client_addr] $getCount "" indefinite $static::windowSecs
        } else {  log local0. "[IP::client_addr]: exceeded the number of requests allowed. $getCount / $limit"
           reject
        }
    }
}

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 07, 2012
    Here's an optimized version which limits each client to X concurrent connections:

    
 Purpose: Limit each client to X concurrent connections
when RULE_INIT {
     Max number of connections for a client over an interval
    set static::max_conns 10
     Log debug to /var/log/ltm? 1=yes, 0=no
    set static::conn_debug 1
}
when CLIENT_ACCEPTED {
     Use a subtable name specific to the client IP
    set subtable "connlimit:[IP::client_addr]"
     Add the client port to the client IP-specific subtable with a 65 second timer 
     and an indefinite timeout.  We use the after command to touch the key every 60 seconds
     as long as the connection is open.
     The subtable entry is removed when the connection is closed.
    table set -subtable $subtable [TCP::client_port] "" 65 indefinite
    if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Added new key [TCP::client_port],\
        count: [table keys -subtable $subtable -count], max: $static::max_conns"}
     Set a timer to update the subtable entry every Y milliseconds
    set timer [after 60000 -periodic {
        table lookup -subtable $subtable [TCP::client_port]
        if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Touched key [TCP::client_port] using after script"}
    }]
     Check if the subtable has over X entries
    set count [table keys -subtable $subtable -count]
    if { $count >= $static::max_conns } {
        if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Over limit count: $count / limit: $static::max_conns"}
         Drop the connection
        drop
         Or apply a rateclass
         rateclass rateclass1
    }
}
when CLIENT_CLOSED {
     When the client connection is closed, remove the subtable entry
    table delete -subtable $subtable [TCP::client_port]
    if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Deleting key [TCP::client_port]"}
     Cancel the timer
    if {[info exists timer] && $timer ne ""}{
        if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Cancelling timer $timer"}
        after cancel $timer
    }
}

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 07, 2012
    Actually, it looks like you want to limit new connections per second per client IP. I'll test something today for this as the above example wouldn't help for your scenario.

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 07, 2012
    I did basic functional testing of this iRule. It would be great if you could do some performance testing for it and let me know if you see any issues. I'm particularly interested in seeing what increase in TMM CPU and memory utilization you see.

    Thanks, Aaron 

    
 Purpose: Limit each client to X connections per second
when RULE_INIT {
 Max number of connections per client IP per second
set static::max_conns 10

 Log debug to /var/log/ltm? 1=yes, 0=no
set static::conn_debug 1
}
when CLIENT_ACCEPTED {

 Use a subtable name specific to the client IP and current second
set subtable "connlimit:[IP::client_addr]_[clock seconds]"

 Add the client port to the client IP-specific subtable with a 2 second timer and timeout.
 For counting we don't care if the subtable has extra entries as we move onto a new subtable every second.
table set -subtable $subtable [TCP::client_port] "" 2 2
if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Added new key [TCP::client_port]\
to table, $subtable, count: [table keys -subtable $subtable -count] / max: $static::max_conns"}

 Check if the subtable has over X entries
set count [table keys -subtable $subtable -count]
if { $count >= $static::max_conns } {

if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Over limit count: $count / max: $static::max_conns"}

 Drop the connection
drop

 Or apply a rateclass
 rateclass rateclass1

}
}
  • bezeqint's avatar
    bezeqint
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2012
    i need to limit only specific networks, also, datagroups are preferable.

     

    can you create and flush a table (such as code below) for specific networks?

     

     

    what about the code that i posted, it wont work? what's the advantages of your code?