rate limit based on source IP

Hi Bmohanak,

The build-in rate and connection limit capabilities, are either per Virtual Server or per Pool Member. So you have to write and deploy an iRule to enforce a connection limits per ClientIP.

You may use the iRule below as a staring point. It will create a

[table]

based counter for each individual Client_IP and create a periodic

[log]

message if a client has been reached its counter. Once you've figured out your desired connection limits, you could enforce the limits by setting the

$static::connection_limit_enforment

variable to

1

when RULE_INIT {
    set static::connection_limit_value 10
    set static::connection_limit_timeout 86400
    set static::connection_limit_logging_interval 60
    set static::connection_limit_enforment 0
}
when CLIENT_ACCEPTED {

     To remove any existing table entries uncomment the line below...
     table delete -subtable "Conn_[IP::client_addr]" -all

    if { [set conn_count [table keys -subtable "Conn_[IP::client_addr]" -count]] >= $static::connection_limit_value } then {
        if { [table lookup -notouch "ConnLog_[IP::client_addr]"] eq "" } then {
            log local0.debug "Client: [IP::client_addr] has reached the connection limit of $conn_count"
            table set "ConnLog_[IP::client_addr]" 1 indef $static::connection_limit_logging_interval
        }
        if { $static::connection_limit_enforment } then {
            event disable all
            reject
            return
        }
    }
    table set -subtable "Conn_[IP::client_addr]" [set conn_id [clock clicks]] 1 indef $static::connection_limit_timeout    
}
when CLIENT_CLOSED {
    table delete -subtable "Conn_[IP::client_addr]" $conn_id
}

Cheers, Kai