For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Satoshino's avatar
Satoshino
Icon for Cirrus rankCirrus
Apr 30, 2021
Solved

Irule Trigger two times

Hi,

I created this irule in order to set rate limit based on source IP:

when RULE_INIT {
    set static::maxRate 4
    set static::windowSecs 10
    log local0. "Var Creation"
    
}
 
when HTTP_REQUEST {
        
       log local0. [IP::client_addr]
       #check IP
       if { [IP::addr [IP::client_addr] equals 192.168.19.12]} {
 
        # set variables
        
        set clientip_var [IP::client_addr]
        set get_count [table key -count -subtable $clientip_var]
        log local0. "$get_count before increase"
 
        # main condition
         if { $get_count < $static::maxRate } {
            incr get_count 1
            log local0. "$get_count after increase"
            table set -subtable $clientip_var $get_count $clientip_var indefinite $static::windowSecs
         } else {
            log local0. "404!?"
            HTTP::respond 404 content { "HTML PAGE" } -reset
 
                return
        }  
      } else {
        
          return
      }
}

This irule create an Array and count session number, when the sessions reach maxRate value the irule reset newest session, until flush.

I realized that when I send a request from the client (with the correct ip) to vs the irule is triggered twice, this means that the array reaches the limit with 2 requests instead of 4.

have you ever had such a problem?

log:

first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase
second request:
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 after  increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after  increase
third and fourth request:
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after  increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 before increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?

Best regards at all

  • Looking at the logs at glance, its actually 2 requests not 1 requests.

    You are stating the below is just 1 request.

    first request:
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

    But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

    May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

     

    Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

3 Replies

  • Looking at the logs at glance, its actually 2 requests not 1 requests.

    You are stating the below is just 1 request.

    first request:
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

    But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

    May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

     

    Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for Noctilucent rankNoctilucent

      The easy way to identify what were the HTTP REQUESTS would be the log the URI. Please test if that gives some clue.