Forum Discussion

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Jun 11, 2016

Universal Persistence with X-forwarder

Hi Experts   Can I use Universal persistence using x-forwarder with i-rule? I would have each x-forwarded IP stick to the same back-end pool member. Will this work? Can you please share code? Any ...
application delivery
cloud
iRules
LTM
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jul 20, 2016

    A formatted version of the "Per VS" rate limiting. You can apply the same irule to all standard VS using UIE persistence.

     

    when RULE_INIT {
    set static::maxReqs 3;
    set static::timeout 60;
}

when HTTP_REQUEST {
        set vs [URI::basename [virtual]]
        if { [HTTP::header exists "X-Forwarded-For"] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values "X-Forwarded-For"]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        if { ([HTTP::method] eq "GET") and ([class match [string tolower [HTTP::uri]] ends_with $vs_URI_LIST_TO_LIMIT] ) } {

            whitelist
            if { [class match [IP::client_addr] equals $vs_ips_whitelist] }{
               return
            }
            set getcount [table lookup -notouch "$vs_$client_IP_addr:[HTTP::uri]"]
            if { $getcount equals "" } {
                table set "$vs_$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch "$vs_$client_IP_addr:[HTTP::uri]"
                } else {
                    reject
                }
            }
        }
        persist uie $clientip 
}

when HTTP_RESPONSE { 
    persist add uie $clientip 
}

     

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus

Hi Kai

 

Thanks for the updated codes. I got some reference from DC and used the below code. Till now it appears to work fine and meet my requirements.

 

when CLIENT_ACCEPTED {
  set tbl "connlimit:[IP::client_addr]"
  set key "[TCP::client_port]"
  table set -subtable $tbl $key "ignored" 180
  if { [table keys -subtable $tbl -count] > 30000 } {
    table delete -subtable $tbl $key
    event CLIENT_CLOSED disable
    reject
  } else {
    set timer [after 1260 -periodic { table lookup -subtable $tbl $key }]
  }
}
when CLIENT_CLOSED {
  after cancel $timer
  table delete -subtable $tbl $key
}
}

Let me see how far it lasts the DOS attack tests. Probably, I'll get to test your code later on.

 

Regards,

 

Sumanta.

 

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Aug 18, 2016

Hi Sumanta,

 

This code implements a tracking of concurrent TCP sessions from a single client. It counts every new TCP session in a subtable, refreshes the table entries on a periodic interval and finally removes the table entries if a session is closed.

 

In my optinion this code shouldn't be used to track high numbers of concurrent connections, since each single TCP connection will be stored in the session table (requires RAM) and will be refreshed on a periodic interval (requires CPU). In addition this iRule seems to have way to agressive periodic refresh intervals for maintaning the existing session table entires!? (aka. every 1280 milliseconds for every single TCP connection)

 

A maximum of 30.000 concurrent TCP connections for each single spammer, will cause your LTM to execute additional ~24.000 table calls each second... Multiply this during a typical DDoS scenario and it will even have the potential to create a nuclear fission in your data center... :-(

 

In the end it strongly depends what kind of DoS protection are you looking for (e.g. tracking of conncurrent connections, new connections per timeframe, tracking on each individual URI, etc.)?

 

Cheers, Kai