For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ryan_111816's avatar
ryan_111816
Icon for Nimbostratus rankNimbostratus
Nov 18, 2009

Limiting Duplicate HTTP GETs

Hi folks. I'm new to DevCentral so I apologize if I'm posting in the wrong place. I've been running a couple of old v4 BIG-IPs for years and just recently made the jump to a couple of LTM-1600's with 10.0.1. That said, we occasionally receive duplicate GETs to one of our IIS/ColdFusion-based sites, from a single user. When this flood of GETs occurs, the requests come through at such a high rate (upwards of 50 requests per second) that it's causing us some headaches. Therefore, I need to develop an iRule that will handle the duplicates and discard them before they make it to the site.

 

To provide some additional information, we typically have many users NAT'd behind the same IP, but the floods originate from only one unique workstation. So it's really not feasible to block or discard requests based on IP. The good news is that our app sets a cookie which contains a number unique to each workstation. This cookie is passed back to our servers with each GET, so if we can leverage a rule which uses this cookie to identify the duplicates, that would be great. Ideally, I'd like to have a rule which would look for duplicate GETs (containing the same URL and unique string in our custom cookie) and reject subsequent requests which surpass a predetermined threshold.

 

I know this isn’t a lot of information to go off of and I can certainly provide more information as needed. After some poking around, I suspect there may be an existing rule which would do what we want to do. I stumbled across the following rule which appears to limit the number of POSTs: http://devcentral.f5.com/Wiki/iRules.RateLimit_HTTPRequest.ashx

 

It’s possible that rule could be adapted to help us out here. I’ve also seen this rule: http://devcentral.f5.com/wiki/iRules.HTTPRequestThrottle.ashx

 

The first rule seems to filter based on an authorization header, while the latter rule seems to filter on IP. Both rules would need to be adapted to our scenario, but being completely new to iRules, I’m not sure which would work better for us. I’m certainly able to provide more details, as needed, but I’d love to hear any ideas you guys might have. Thanks much for the help.

 

-Ryan

 

application delivery
dev
devops
iRules