Universal Persistence with X-forwarder

Hi,

You need to create this DATAGROUP :

tmsh create ltm data-group internal URI_LIST_TO_LIMIT type string records add { "/uri" }

This is a datagroup used to define the URIs you would like to filter.

This irule works on a Standard VS with HTTP profile applied. HTTP_REQUEST event doesn't works for L4 VS.

Hi Yann

Thanks, I'll create the data group. But will this prevent when I test using continuous telnet to IP/port 443, using a perl script? My intention is to limit connections below 20K, from each source IP, to that specific VS, running on port 443.

So, will your code only allow and rate limit URIs and reject everything else such as telnet sessions? The assumption is URIs are valid and legitimate and any other connection attempt on Layer 4 maybe considered as a DOS, right?

Regards,

Sumanta.

Hi Yann

In that case, how would I modify for L4 VS? I have 2 standard VS, where I can apply this i-rule, but how should I modify for L4 VS?

I am trying to test the rate limit by running a perl script which simulates telnet to IP/port. The inbuilt rate limit configuration only support per virtual server which would not server my purpose. The other options which I had tried is connections per second. Probably, I have to use CLIENT_ACCEPTED, but how to rate limit, in this case?

Regards,

Sumanta.

Will this work, just referred to some code in dc?

https://devcentral.f5.com/codeshare?sid=595

when RULE_INIT {

     set static::maxReqs 20000;

     set static::timeout 1800;

}

     when CLIENT_ACCEPTED {

          set client_IP_addr [IP::client_addr]

             set getcount [table lookup -notouch "$client_IP_addr:[IP::client_addr]"]

              if { $getcount equals "" } {

               table set "$client_IP_addr:[IP::client_addr]" "1" $static::timeout $static::timeout

          } else {

                 if { $getcount < $static::maxReqs } {

                  table incr -notouch "$client_IP_addr:[IP::client_addr]"

               } else {

                  reject
             }
         }
     }
  }

Hi,

Please find below a modified version of your irule :

when RULE_INIT {
     set static::maxReqs 20000;
     set static::timeout 1800;
}

when CLIENT_ACCEPTED {
    set client_IP_addr [IP::client_addr]
    set getcount [table lookup -notouch "$client_IP_addr"]
    if { $getcount equals "" } {
        table set "$client_IP_addr" "1" $static::timeout $static::timeout
    } else {
        if { $getcount < $static::maxReqs } {
            table incr -notouch "$client_IP_addr"
        } else {
            reject
        }
    }
}

The bad point with this kind of low level irules is that we cannot identify real IP addresses but only last hop before a NAT occurred. This may impact many users at the same times by rejecting a single IP.

Hi Yann

Thanks for your time, I have already made that assumption, so I have kept 20K limit on each source IP, since each of that source IP can have multiple real IPs hidden behind it. It is an assumption, but I can't change L4 fast to http profile to use your older i-rule. Don't have much choice here.

In case this last one which you mentioned works, then it would be ideal for the L4 VS and I'll use the older code you gave earlier for my other two standard VS, with universal persistence and XFF.

Regards,

Sumanta.