Forum Discussion
bezeqint
Mar 06, 2012Nimbostratus
iRule to mitigate attack
hello,
i need to protect mail servers from a virus attack.
we have a network with users. some of them are using the mail servers, some of them are attacking the mail servers. we see that some users create 4000 short connection to the mail servers - the concurrent connection for each user is 1.
what i would like to do is:
1. if a user a part of a network that belongs to a group, he can open, lets say, 10 new connections per second (not concurrent! the rate of opening a tcp connection - a user can keep 500 connections, but can create only 10 new per second)
2. the rest of the users can open connections at any rate.
can i do that using iRule?
can iRule limit the rate of opening new connections?
how do i write something like that?
- koenning_107182NimbostratusHi,
- bezeqintNimbostratusthe first link limit connection per virt - this is not what i'm looking for.
Data group mapping hosts/networks to connection limit values class conn_limit_dg { network 10.0.0.0/8 { "2" } } when RULE_INIT { This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds set static::windowSecs 3 } when CLIENT_ACCEPTED { Max connections per client IP set limit [class match -value [IP::client_addr] equals conn_limit_dg] log local0. "[IP::client_addr]: \$limit: $limit" Check if client IP is in the connection limit data group and the request is a GET if { $limit ne "" } { set getCount [table key -count -subtable [IP::client_addr]] log local0. "[IP::client_addr]: getCount=$getCount" if { $getCount < $limit} { incr getCount 1 table set -subtable [IP::client_addr] $getCount "" indefinite $static::windowSecs } else { log local0. "[IP::client_addr]: exceeded the number of requests allowed. $getCount / $limit" reject } } }
- hooleylistCirrostratusHere's an optimized version which limits each client to X concurrent connections:
Purpose: Limit each client to X concurrent connections when RULE_INIT { Max number of connections for a client over an interval set static::max_conns 10 Log debug to /var/log/ltm? 1=yes, 0=no set static::conn_debug 1 } when CLIENT_ACCEPTED { Use a subtable name specific to the client IP set subtable "connlimit:[IP::client_addr]" Add the client port to the client IP-specific subtable with a 65 second timer and an indefinite timeout. We use the after command to touch the key every 60 seconds as long as the connection is open. The subtable entry is removed when the connection is closed. table set -subtable $subtable [TCP::client_port] "" 65 indefinite if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Added new key [TCP::client_port],\ count: [table keys -subtable $subtable -count], max: $static::max_conns"} Set a timer to update the subtable entry every Y milliseconds set timer [after 60000 -periodic { table lookup -subtable $subtable [TCP::client_port] if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Touched key [TCP::client_port] using after script"} }] Check if the subtable has over X entries set count [table keys -subtable $subtable -count] if { $count >= $static::max_conns } { if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Over limit count: $count / limit: $static::max_conns"} Drop the connection drop Or apply a rateclass rateclass rateclass1 } } when CLIENT_CLOSED { When the client connection is closed, remove the subtable entry table delete -subtable $subtable [TCP::client_port] if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Deleting key [TCP::client_port]"} Cancel the timer if {[info exists timer] && $timer ne ""}{ if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Cancelling timer $timer"} after cancel $timer } }
- hooleylistCirrostratusActually, it looks like you want to limit new connections per second per client IP. I'll test something today for this as the above example wouldn't help for your scenario.
- hooleylistCirrostratusI did basic functional testing of this iRule. It would be great if you could do some performance testing for it and let me know if you see any issues. I'm particularly interested in seeing what increase in TMM CPU and memory utilization you see.
Purpose: Limit each client to X connections per second when RULE_INIT { Max number of connections per client IP per second set static::max_conns 10 Log debug to /var/log/ltm? 1=yes, 0=no set static::conn_debug 1 } when CLIENT_ACCEPTED { Use a subtable name specific to the client IP and current second set subtable "connlimit:[IP::client_addr]_[clock seconds]" Add the client port to the client IP-specific subtable with a 2 second timer and timeout. For counting we don't care if the subtable has extra entries as we move onto a new subtable every second. table set -subtable $subtable [TCP::client_port] "" 2 2 if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Added new key [TCP::client_port]\ to table, $subtable, count: [table keys -subtable $subtable -count] / max: $static::max_conns"} Check if the subtable has over X entries set count [table keys -subtable $subtable -count] if { $count >= $static::max_conns } { if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Over limit count: $count / max: $static::max_conns"} Drop the connection drop Or apply a rateclass rateclass rateclass1 } }
- bezeqintNimbostratusi need to limit only specific networks, also, datagroups are preferable.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects