Forum Discussion

suyeup_77835's avatar
suyeup_77835
Icon for Nimbostratus rankNimbostratus
Jun 07, 2011

need count a HTTPheader Referer

hi.. my name is sooyeup.kim i'm from korea.

 

i need help.

 

now, my company have F5 L7-Switch.(four!!) but we don't have iRule engineer.

 

(customize the iRule is very hard!!T0T) i need this iRule.

 

1. Count a All Referer(HTTP::header) and IP

 

2. if some Referer is over the limit, drop that IP

 

 

i was write the this iRule, but that is wrong!!!T-T

 

 

 

when RULE_INIT {

 

array unset ::user array

 

set ::user { } array

 

set ::blocklist { } array

 

set ::refererlist{ }

 

set ::attacktime 10

 

set ::maxreferer 100

 

set ::holdtime 3 set ::referer }

 

 

when HTTP_REQUEST {

 

set ::referer [HTTP::header Referer]

 

if { ($::referer contains "mrtg") } {

 

if { [ info exists ::blocklist([IP::remote_addr]) ] } {

 

if {$::holdtime > [ expr [clock seconds] - $::blocklist([IP::remote_addr]) ] } {

 

drop log local5. "[IP::remote_addr] is HOLD" return

 

} else {

 

unset ::blocklist([IP::remote_addr]) log local5. "[IP::remote_addr] is released" }

 

}

 

 

 

if{[info exists ::refererlist]}{

 

if{[HTTP::header Referer] equals $::refererlist}{

 

if { [info exists ::user([IP::remote_addr],count)] } {

 

if { $::attacktime > [expr [clock seconds] - $::user([IP::remote_addr],duration)]} {

 

if {$::user([IP::remote_addr],count) > $::maxreferer } {

 

set ::blocklist([IP::remote_addr]) [clock seconds]

 

log local5. "[IP::remote_addr] is blocked"

 

drop

 

return

 

} else {

 

incr ::user([IP::remote_addr],count) 1

 

return

 

}

 

} else {

 

unset ::user([IP::remote_addr],count)

 

unset ::user([IP::remote_addr],duration) }

 

} else {

 

if { 20000 < [array size ::user] } {

 

array unset ::user array set ::user { } }

 

set ::user([IP::remote_addr],count) 1

 

set ::user([IP::remote_addr],duration) [clock seconds]

 

set ::refererlist([HTTP::header Referer]) }

 

}

 

}

 

}

 

}

 

 

 

 

help me please!

 

 

thank you..

 

 

  • Are you on 10.x or 9.x? For 10.x, you'd want to use a subtable to store the Referers instead of a global array. You can use the table command to access and modify a subtable:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/table

     

     

    You'd also want to change ::referer to a local variable as a global variable will be changed by all TCP connections--not just the current connection.

     

     

    Aaron
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Here is an example i-rule which uses the tables. This irule counts connections on a per source IP basis. You can change it to count referrers instead.

     

     

     

     

    rule connection_counter {

     

     

    Irule, written by John Alam, Feb 21st, 2011.

     

    This irule counts the connections from a source IP within a time interval. When the number connections

     

    allowed within specified interval is exceeded, a message is logged and the measurement is restarted.

     

     

     

    when RULE_INIT {

     

     

    maxRate is the maximum number of connection an IP address can initiate in windowSecs interval.

     

    set static::maxRate 10

     

     

    WindowSec is the length of an interval in seconds.

     

    set static::windowSecs 10

     

     

    }

     

     

    when CLIENT_ACCEPTED {

     

    set srcip [IP::remote_addr]

     

     

    set currtime [clock second]

     

     

     

    set count [ table lookup -subtable conns $srcip]

     

     

    if { $count > 0 } {

     

     

    set count [incr -subtable Conns $srcip]

     

     

    If frequency is more than ::maxRate send message to log.

     

    Any existing record cannot have been more than windowSecs old.

     

    Count is the number of connections within windowSecs.

     

     

    if { $count > $static::maxRate } {

     

    set elapsed_secs [expr $static::windowSecs - [table timeout -subtable conns -remaining $srcip]]

     

    log "IP address <$srcip> Connected $count times within $elapsed_secs seconds"

     

     

    we must delete and start over otherwise every subsequent new connecton will trigger a log message.

     

     

    table delete -subtable conns $srcip

     

    return

     

    }

     

    } else {

     

    In this clause, either the user is new

     

    or more than ::maxRate connections were established per windowSec and we issued a log message.

     

    Or the lifetime (windowSec) has expired.

     

    We are creating a new record.

     

     

    table set -subtables conns $srcip 1 $static::windowSecs $static::windowSecs

     

    log "New or refreshed user <$srcip> <$currtime> Connections $count interval remaining [table timeout -subtable conns -remaining $srcip]"

     

    }

     

     

     

    }

     

    }
  • thank!!

     

     

    but i need count same Referer T0T

     

     

     

    if max referer is 3,

     

     

    IP 1.1.1.1 Referer is A, B, C, A, A is drop.

     

     

    because A is three~~

     

     

    can i make it?

     

  • thank!!

     

     

    but i need count same Referer T0T

     

     

     

    if max referer is 3,

     

     

    IP 1.1.1.1 Referer is A, B, C, A, A is drop.

     

     

    because A is three~~

     

     

    can i make it?

     

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Sure, you could take the code above and change it around to count the number of requests from a given referrer ([HTTP::header "referrer"]) and it should work fine. If you have any specific questions on how to make this work let us know.

     

     

    Colin