Limit access, time, blocktime for source ip

Hi guys,

 

 

We will share an iRule which we write to Limit Connections from Client to a determine URI.

 

You can limit access and during determine (time) and if the users try more then permitted connections the source ip will be block = (time)

 

 

Our iRule will be allow access 10 times in one day, after 10 times in one day the source ip will be blocks for 20 hours.

 

 

- First we check if a usertabletime exist, if it exists and there are entry’s which older then 1 day we remove it to save memory.

 

 

- The second check is to show is the source ip in the blacklist or not, if in blacklist DROP

 

- if not in the blacklist increases usertablefreq + 1

 

 

- if maxquery reached put source ip to blacklist

 

- if not in the blacklist and not usertabletime put scrip and time in the table (usertabletime, usertablefreq).

 

 

Regards

 

Charlie

 

_____________________________________________________________________________________

 

 

when RULE_INIT {

 

set ::maxquery 10

 

set ::holdtime 86400

 

set ::blocktime 72000

 

array set ::usertabletime { }

 

array set ::usertablefreq { }

 

array set ::blacklist { }

 

}

 

when HTTP_REQUEST {

 

 

if { [string tolower [HTTP::uri]] contains "/friendmailservlet"} {

 

log local0. "begining"

 

log local0. "We have a /mail in the URI"

 

set srcip [IP::remote_addr]

 

set currtime [clock second]

 

show array

 

log local0. "Begining the array research."

 

foreach {xxx valxxx } [array get ::usertabletime] {

 

log local0. "In Array ist: $xxx mit Wert = $valxxx."

 

}

 

log local0. "Ende der array check."

 

 

cleaning/maintenance of the usertable to reduce memory

 

if {[ info exists ::usertabletime] } {

 

log local0. "cleaning old ip"

 

foreach {srcxip val } [array get ::usertabletime] {

 

if { [expr ${currtime} - $::usertabletime($srcxip) ] > $::holdtime} {

 

log local0. "REMOVE from Array the good guy with $srcxip und $::usertablefreq($srcxip) after $::holdtime seconds."

 

unset ::usertablefreq($srcxip)

 

unset ::usertabletime($srcxip)

 

}

 

}

 

}

 

it is a good or bad guy

 

if { [ info exists ::blacklist($srcip) ] } {

 

log local0. "$srcip is in the blacklist"

 

if { $::blocktime > [expr ${currtime} - $::blacklist($srcip) ] } {

 

the attack continue

 

set delta [expr ${currtime} - $::blacklist($srcip) ]

 

log local0. "the attack continue $::blocktime bigger $delta, $srcip"

 

set ::blacklist($srcip) $currtime

 

drop

 

log local0. "drop $srcip"

 

return

 

} else {

 

end of the attack

 

unset ::blacklist($srcip)

 

log local0. "remove $srcip from blacklist"

 

}

 

} else {

 

not in the blacklist

 

if { [ info exists ::usertabletime($srcip)] } {

 

we know the customer

 

incr ::usertablefreq($srcip)

 

if { $::usertablefreq($srcip) > $::maxquery} {

 

begin of an attack

 

log local0. "new blacklist member <$srcip> with $::usertablefreq($srcip) times"

 

is a bad guy

 

set ::blacklist($srcip) $currtime

 

for reason

 

unset ::usertablefreq($srcip)

 

unset ::usertabletime($srcip)

 

drop

 

return

 

} else {

 

log local0. "$srcip is trying again to send an e-mail at $currtime for $::usertablefreq($srcip) times."

 

}

 

} else {

 

new customer sending a e-mail

 

set ::usertablefreq($srcip) 1

 

set ::usertabletime($srcip) $currtime

 

log local0. "new member <$srcip>"

 

}

 

}

 

}

 

}