Limit the packets per Second for a session

Hi Colin,

 

 

thanks for your hint and sorry for my late response.

 

I modified the client_data part, because IP::stats age is in milli seconds.

 

 

when CLIENT_DATA {

 

when session is older then one second

 

if { [IP::stats age] > 1000 } {

 

milli seconds to seconds

 

set age_sec [expr [IP::stats age] / 1000]

 

 

get the packtes per second

 

set packets [expr {[IP::stats pkts in]} / $age_sec]

 

log "Packets per Second $packets Packets {[IP::stats pkts in]} Age {[IP::stats age] milli second}"

 

 

if { $packets > $::maxpackets } {

 

log "Client $client_ip rejected with $packets packets per second rejected"

 

reject

 

return

 

}

 

}

 

}

 

 

I tested the iRule on a big-ip 5100 and version 9.1.0.

 

The rule seems to work. I have tested it with one client

 

and one server. I dont know what will happen if thousands

 

of clients and connections will penetrate the loadbalancer.

 

 

The rate classes in an iRule will be the best way to limit the banwidth

 

in a productive environment.

 

 

The only feature I miss at version 9.x is to limit the concurrent connections per client/source

 

ip-address in a rate class or as feature for a virtual server, without using a iRule.

 

This feature would be very helpful when a service is under heavy load.

 

It is possible to limit the connection for a virtual, but so one or more bad clients are able

 

to use all these connections.

 

 

Best regards

 

Klaus