For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bmohanak_276891's avatar
bmohanak_276891
Icon for Cirrus rankCirrus
Sep 22, 2016

rate limit based on source IP

Dear Folks,

 

I need to find out how to do some "rate limit" based on Source IP address for an LDAP VIP, the issue here in stake is that, sometimes the same Source IP opens up multiple connections to the LDAP VIP which is causing high CPU on one or more of the Pool Members.

 

At any given time, the number of connections from the same source should not exceed this limit

 

My Questions are 1. Is there a way to track the Connections based on Source IP for a Period of one week? 2. How can I implement this concept of rate limit based on Source IP?

 

Thanks for the Help Balaji

 

BIG-IP
LTM
security

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Sep 23, 2016

    Hi Bmohanak,

    The build-in rate and connection limit capabilities, are either per Virtual Server or per Pool Member. So you have to write and deploy an iRule to enforce a connection limits per ClientIP.

    You may use the iRule below as a staring point. It will create a 

    [table]
    based counter for each individual Client_IP and create a periodic 
    [log]
    message if a client has been reached its counter. Once you've figured out your desired connection limits, you could enforce the limits by setting the 
    $static::connection_limit_enforment
    variable to 
    1

    when RULE_INIT {
    set static::connection_limit_value 10
    set static::connection_limit_timeout 86400
    set static::connection_limit_logging_interval 60
    set static::connection_limit_enforment 0
}
when CLIENT_ACCEPTED {

     To remove any existing table entries uncomment the line below...
     table delete -subtable "Conn_[IP::client_addr]" -all

    if { [set conn_count [table keys -subtable "Conn_[IP::client_addr]" -count]] >= $static::connection_limit_value } then {
        if { [table lookup -notouch "ConnLog_[IP::client_addr]"] eq "" } then {
            log local0.debug "Client: [IP::client_addr] has reached the connection limit of $conn_count"
            table set "ConnLog_[IP::client_addr]" 1 indef $static::connection_limit_logging_interval
        }
        if { $static::connection_limit_enforment } then {
            event disable all
            reject
            return
        }
    }
    table set -subtable "Conn_[IP::client_addr]" [set conn_id [clock clicks]] 1 indef $static::connection_limit_timeout    
}
when CLIENT_CLOSED {
    table delete -subtable "Conn_[IP::client_addr]" $conn_id
}

    Cheers, Kai