For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bezeqint's avatar
bezeqint
Icon for Nimbostratus rankNimbostratus
Mar 06, 2012

iRule to mitigate attack

hello,     i need to protect mail servers from a virus attack.   we have a network with users. some of them are using the mail servers, some of them are attacking the mail servers. we see th...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 07, 2012
Here's an optimized version which limits each client to X concurrent connections:


 Purpose: Limit each client to X concurrent connections
when RULE_INIT {
     Max number of connections for a client over an interval
    set static::max_conns 10
     Log debug to /var/log/ltm? 1=yes, 0=no
    set static::conn_debug 1
}
when CLIENT_ACCEPTED {
     Use a subtable name specific to the client IP
    set subtable "connlimit:[IP::client_addr]"
     Add the client port to the client IP-specific subtable with a 65 second timer 
     and an indefinite timeout.  We use the after command to touch the key every 60 seconds
     as long as the connection is open.
     The subtable entry is removed when the connection is closed.
    table set -subtable $subtable [TCP::client_port] "" 65 indefinite
    if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Added new key [TCP::client_port],\
        count: [table keys -subtable $subtable -count], max: $static::max_conns"}
     Set a timer to update the subtable entry every Y milliseconds
    set timer [after 60000 -periodic {
        table lookup -subtable $subtable [TCP::client_port]
        if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Touched key [TCP::client_port] using after script"}
    }]
     Check if the subtable has over X entries
    set count [table keys -subtable $subtable -count]
    if { $count >= $static::max_conns } {
        if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Over limit count: $count / limit: $static::max_conns"}
         Drop the connection
        drop
         Or apply a rateclass
         rateclass rateclass1
    }
}
when CLIENT_CLOSED {
     When the client connection is closed, remove the subtable entry
    table delete -subtable $subtable [TCP::client_port]
    if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Deleting key [TCP::client_port]"}
     Cancel the timer
    if {[info exists timer] && $timer ne ""}{
        if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Cancelling timer $timer"}
        after cancel $timer
    }
}

Aaron