For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Angelo's avatar
Angelo
Icon for Nimbostratus rankNimbostratus
Mar 04, 2013

XML throttling and firewalling

Hi

 

I am looking for a way to throttle XML requests to a SOA environment and to reject certain content that does not match a certain critiria. the throttling i found something on dev central code share https://devcentral.f5.com/wiki/irules.httprequestthrottle.ashx but i don't undersand it completely. is there a way that i can write a irule to do both throttle and do the reject....

 

 

thank you

 

application delivery
dev
devops
iRules

1 Reply

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 09, 2013
    i am not familiar with xml. anyway, i think you may start from Blocking DNS Flood Attacks example in article below.

     

     

    v10.1 - The table Command - Examples by Spark

     

    https://devcentral.f5.com/tech-tips/articles/v101-the-table-command-examples

     

     

    this is non-tested code. what it does is it counts request per second per client ip. when it exceeds 100 requests per second (static::maxquery), the client ip will be hold for 600 seconds (static::holdtime). if the request does not exceed, we will collect request payload and reject if it contains searching string (static::search_string).

     

     

    in case if you want to limit request per second globally (not per client ip), you just change srcip variable to static value (instead of client ip).

     

     

    when RULE_INIT {
  set static::maxquery 100
  set static::holdtime 600
  set static::search_string "whatever string"
}
when HTTP_REQUEST {
  if { [HTTP::header Content-Type] equals "text/xml" } { 

    set srcip [IP::remote_addr]
    if { [table lookup -subtable "blacklist" $srcip] != "" } {
      drop
      return
    }
    set curtime [clock second]
    set key "count:$srcip:$curtime"
    set count [table incr $key]
    table lifetime $key 2
    if { $count > $static::maxquery } {
      table add -subtable "blacklist" $srcip "blocked" indef $static::holdtime
      table delete $key
      drop
      return
    }

    if { [HTTP::header "Content-Length"] ne "" and [HTTP::header "Content-Length"] <= 1048576 } {
      set content_length [HTTP::header "Content-Length"]
    } else {
      set content_length 1048576
    }
    if { $content_length > 0 } {
      HTTP::collect $content_length
    }

  }
}
when HTTP_REQUEST_DATA {
  if { [HTTP::payload] contains $static::search_string } {
    reject
  }
}