Forum Discussion

Nimbostratus

Mar 04, 2016

Please help me rewrite an iRule from Ver 9 to version 11.6 (How to detect excessive connections)

I used to use this rule (which I grabbed from here) on version 9 to detect and alert on IP addresses making excessive connection to VIPs. I was wondering if anyone could help me optimize it for versi...

MVP

Mar 06, 2016

Hi Misty,

a CMP-friendly version (e.g. using the [table] and [class] command) of your provided logic would look like this...

Datagroup:

ltm data-group internal ALLOWED_IP_DATAGRROUP {
    records {
        10.0.0.0/8 { }
        172.12.0.0/12 { }
        192.168.0.0/16 { }
    }
    type ip
}

iRule Code:

when RULE_INIT { 
    set static::client_timeout 300      ;seconds
} 
when CLIENT_ACCEPTED { 
    if { [class match [IP::client_addr] equals ALLOWED_IP_DATAGRROUP] } then {
        set is_filtered 0
    } else {
        set is_filtered 1
        if { [set result [table incr "conn_[IP::client_addr]"]] > 50 } then {
            log local0.debug "Alert: $result connections to mysite.com from [IP::client_addr]"
             reject
            return
        } elseif { $result == 1 } then {
            table timeout "conn_[IP::client_addr]" $static::client_timeout
        }
        log local0.debug "Info: $result connections to mysite.com from [IP::client_addr]"
    }
} 
when CLIENT_CLOSED {
    if { $is_filtered } then {
        table incr "conn_[IP::client_addr]" -1 
    }
}

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)