For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bruce_Bronczyk's avatar
Bruce_Bronczyk
Icon for Altostratus rankAltostratus
Jun 13, 2014

Randomly unpredictable rate limiting using the iRule iRules.virtual_server_connection_rate_limit_with_tables.ashx

Has anyone used this iRule, https://devcentral.f5.com/wiki/iRules.virtual_server_connection_rate_limit_with_tables.ashx, and seen issues with random rate limiting for some connections well below the ...
application delivery
devops
iRules
LTM
bensvobodny_923's avatar
bensvobodny_923
Icon for Nimbostratus rankNimbostratus
Jun 19, 2014

Thanks very much Kevin. Our early testing looks good. Will keep you posted.

One question for you. If we have multiple vips with this irule applied, will the table be different for each vip? or shared.

Example. source ip 1.2.3.4

we want 1.2.3.4 to have 20 connections/sec to vip 1 and 20 connections/sec to vip 2.

Will it work that way, or will it only allow 20 connections from that source ip total.

we added a few tweaks for tcp::respond and logging.

when CLIENT_ACCEPTED { set static::whitelist_class vsratelimit_whitelist_class

if {[class match [IP::client_addr] equals vsratelimit_whitelist_class]}{

  return

}

this will give you 20 connections per second per source IP address set cid [clock clicks] set conns 10 set rate 1 set key "[IP::client_addr]:[TCP::client_port]" set current [table keys -subtable [virtual]:[IP::client_addr] -count] table set -subtable [virtual]:[IP::client_addr] $cid 0 indef $rate

if {$current > $conns} { table delete -subtable [virtual]:[IP::client_addr] $cid log local0. "$key: Connection to [IP::local_addr]:[TCP::local_port]\ ([virtual name]). At limit, rejecting (current: $current / max: $conns)" TCP::respond "Your request is being rate limited. Please reduce the frequency of your requests and try again later"

TCP::close } }

thanks, Ben