For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bruce_Bronczyk's avatar
Bruce_Bronczyk
Icon for Altostratus rankAltostratus
Jun 13, 2014

Randomly unpredictable rate limiting using the iRule iRules.virtual_server_connection_rate_limit_with_tables.ashx

Has anyone used this iRule, https://devcentral.f5.com/wiki/iRules.virtual_server_connection_rate_limit_with_tables.ashx, and seen issues with random rate limiting for some connections well below the ...
application delivery
devops
iRules
LTM
Kevin_Davies_40's avatar
Kevin_Davies_40
Icon for Nacreous rankNacreous
Jun 14, 2014

Try this and let me know how it performs for you...

when CLIENT_ACCEPTED {
   this will give you 20 connections per second per source IP address
  set cid [clock clicks]
  set conns 20
  set rate 1

  table set -subtable [virtual]:[IP::client_addr] $cid 0 indef $rate
  if {[table keys -subtable [virtual]:[IP::client_addr] -count] > $conns} { 
    table delete -subtable [virtual]:[IP::client_addr] $cid
    TCP::close
  }
}

In a BIGIP there will be many other instances of this iRule (one per TCP connection) running at the same time. When we get to the IF condition they could all say they are under the connection limit because they perform the test at the same moment in time.

To allow for this, we allocate the connection entry (table set), then backout (table delete) if we are over the limit (table keys -count). Since the table is always the source of truth, we never exceed the rate limit.

Bruce_Bronczyk's avatar
Bruce_Bronczyk
Icon for Altostratus rankAltostratus
Jun 17, 2014
Thanks for the suggestion. I am not very experienced with editing iRules, so does your suggested change insert into the iRule at a specific spot or does it replace some of the existing iRule below the 'when CLIENT_ACCEPTED' point? Thanks.