Forum Discussion

suyeup_77835's avatar
Icon for Nimbostratus rankNimbostratus
Jun 07, 2011

need count a HTTPheader Referer

hi.. my name is i'm from korea.


i need help.


now, my company have F5 L7-Switch.(four!!) but we don't have iRule engineer.


(customize the iRule is very hard!!T0T) i need this iRule.


1. Count a All Referer(HTTP::header) and IP


2. if some Referer is over the limit, drop that IP



i was write the this iRule, but that is wrong!!!T-T




when RULE_INIT {


array unset ::user array


set ::user { } array


set ::blocklist { } array


set ::refererlist{ }


set ::attacktime 10


set ::maxreferer 100


set ::holdtime 3 set ::referer }





set ::referer [HTTP::header Referer]


if { ($::referer contains "mrtg") } {


if { [ info exists ::blocklist([IP::remote_addr]) ] } {


if {$::holdtime > [ expr [clock seconds] - $::blocklist([IP::remote_addr]) ] } {


drop log local5. "[IP::remote_addr] is HOLD" return


} else {


unset ::blocklist([IP::remote_addr]) log local5. "[IP::remote_addr] is released" }






if{[info exists ::refererlist]}{


if{[HTTP::header Referer] equals $::refererlist}{


if { [info exists ::user([IP::remote_addr],count)] } {


if { $::attacktime > [expr [clock seconds] - $::user([IP::remote_addr],duration)]} {


if {$::user([IP::remote_addr],count) > $::maxreferer } {


set ::blocklist([IP::remote_addr]) [clock seconds]


log local5. "[IP::remote_addr] is blocked"






} else {


incr ::user([IP::remote_addr],count) 1






} else {


unset ::user([IP::remote_addr],count)


unset ::user([IP::remote_addr],duration) }


} else {


if { 20000 < [array size ::user] } {


array unset ::user array set ::user { } }


set ::user([IP::remote_addr],count) 1


set ::user([IP::remote_addr],duration) [clock seconds]


set ::refererlist([HTTP::header Referer]) }













help me please!



thank you..



5 Replies

  • Are you on 10.x or 9.x? For 10.x, you'd want to use a subtable to store the Referers instead of a global array. You can use the table command to access and modify a subtable:





    You'd also want to change ::referer to a local variable as a global variable will be changed by all TCP connections--not just the current connection.



  • John_Alam_45640's avatar
    Historic F5 Account
    Here is an example i-rule which uses the tables. This irule counts connections on a per source IP basis. You can change it to count referrers instead.





    rule connection_counter {



    Irule, written by John Alam, Feb 21st, 2011.


    This irule counts the connections from a source IP within a time interval. When the number connections


    allowed within specified interval is exceeded, a message is logged and the measurement is restarted.




    when RULE_INIT {



    maxRate is the maximum number of connection an IP address can initiate in windowSecs interval.


    set static::maxRate 10



    WindowSec is the length of an interval in seconds.


    set static::windowSecs 10








    set srcip [IP::remote_addr]



    set currtime [clock second]




    set count [ table lookup -subtable conns $srcip]



    if { $count > 0 } {



    set count [incr -subtable Conns $srcip]



    If frequency is more than ::maxRate send message to log.


    Any existing record cannot have been more than windowSecs old.


    Count is the number of connections within windowSecs.



    if { $count > $static::maxRate } {


    set elapsed_secs [expr $static::windowSecs - [table timeout -subtable conns -remaining $srcip]]


    log "IP address <$srcip> Connected $count times within $elapsed_secs seconds"



    we must delete and start over otherwise every subsequent new connecton will trigger a log message.



    table delete -subtable conns $srcip






    } else {


    In this clause, either the user is new


    or more than ::maxRate connections were established per windowSec and we issued a log message.


    Or the lifetime (windowSec) has expired.


    We are creating a new record.



    table set -subtables conns $srcip 1 $static::windowSecs $static::windowSecs


    log "New or refreshed user <$srcip> <$currtime> Connections $count interval remaining [table timeout -subtable conns -remaining $srcip]"








  • thank!!



    but i need count same Referer T0T




    if max referer is 3,



    IP Referer is A, B, C, A, A is drop.



    because A is three~~



    can i make it?


  • thank!!



    but i need count same Referer T0T




    if max referer is 3,



    IP Referer is A, B, C, A, A is drop.



    because A is three~~



    can i make it?


  • Colin_Walker_12's avatar
    Historic F5 Account
    Sure, you could take the code above and change it around to count the number of requests from a given referrer ([HTTP::header "referrer"]) and it should work fine. If you have any specific questions on how to make this work let us know.