Forum Discussion

Nimbostratus

Mar 04, 2016

Please help me rewrite an iRule from Ver 9 to version 11.6 (How to detect excessive connections)

I used to use this rule (which I grabbed from here) on version 9 to detect and alert on IP addresses making excessive connection to VIPs. I was wondering if anyone could help me optimize it for versi...

MVP

Mar 09, 2016

Hi Misty,

to show your clients a friendly error page you could try the iRule below...

when RULE_INIT { 
    set static::client_timeout 300                      ; Seconds
    set static::conn_limit_site "http://somesite.de/"   ; URL
} 
when CLIENT_ACCEPTED { 
    if { [class match [IP::client_addr] equals ALLOWED_IP_DATAGRROUP] } then {
        set is_filtered 0
        set is_blocked 0
    } else {
        set is_filtered 1
        if { [set result [table incr "conn_[IP::client_addr]"]] > 50 } then {
            log local0.debug "Alert: $result connections to mysite.com from [IP::client_addr]"
            set is_blocked 1
            return
        } elseif { $result == 1 } then {
            table timeout "conn_[IP::client_addr]" $static::client_timeout
        }
        log local0.debug "Info: $result connections to mysite.com from [IP::client_addr]"
        set is_blocked 0
    }
}
when HTTP_REQUEST {
    if { $is_blocked } then {
        HTTP::redirect "$static::conn_limit_site?conn=$result"
        TCP::close
    }
}
when CLIENT_CLOSED {
    if { $is_filtered } then {
        table incr "conn_[IP::client_addr]" -1 
    }
}

Update: Added a TCP::close after HTTP::redirect

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)