Forum Discussion

Shay_Ben-David1's avatar
Shay_Ben-David1
Icon for Nimbostratus rankNimbostratus
Oct 18, 2006

how to log source ip connections?

i have used the irule for limit connection from one source ip vip in the bigip, this irule also logs each source ip that opend more than X connections, that the irule set.

 

i would like to log the source ip that pass the X connections and will also includes how many connections this source opend.

 

 

when RULE_INIT {

 

array set ::active_clients { }

 

array set white_client {

 

x.x.x.x

 

y.y.y.y

 

}

 

}

 

 

when CLIENT_ACCEPTED {

 

set client_ip [IP::remote_addr]

 

if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {

 

if {$::active_clients($client_ip) > 50 } {

 

reject

 

log "Alert! Multiple connections to mysite.com$client_ip ($::active_clients($client_ip))"

 

return

 

} else {

 

incr ::active_clients($client_ip)

 

}

 

} else {

 

set ::active_clients($client_ip) 1

 

}

 

}

 

when CLIENT_CLOSED {

 

set client_ip [IP::remote_addr]

 

if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {

 

incr ::active_clients($client_ip) -1

 

if { $::active_clients($client_ip) <= 0 } {

 

unset ::active_clients($client_ip)

 

}

 

}

 

}
application delivery
dev
devops
iRules

6 Replies

Sort By
  • Shay_Ben-David1's avatar
    Shay_Ben-David1
    Icon for Nimbostratus rankNimbostratus
    Oct 19, 2006
    Hi, actually i am asking for help, what happen now with this irule, is that it logs the source ip and the connections, but it logs only the " >50" meaning that it show on the log only the 51 connections, what i would like is that it will log the amount of real connections that this source try to open. let say if a source ip is trying to open 2000 simultaneous connections, i want it to be in the log and show how many connection this source is trying to open.

     

    hope this clear my question

     

    thanks

     

  • Shane_Benting_5's avatar
    Shane_Benting_5
    Icon for Nimbostratus rankNimbostratus
    Oct 19, 2006
    I don't think there is a way to tell how many connections they are trying and block the excess connections, since the it will decrement the counter when the connection is rejected (i.e. CLIENT_CLOSED). However, the script below (modified from yours) will generate a warning if the connections exceed the threshold.

    -Shane

    when RULE_INIT {
array set ::active_clients { }
array set white_client {
x.x.x.x
y.y.y.y
}
}
when CLIENT_ACCEPTED {
set client_ip [IP::remote_addr]
if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {
if {$::active_clients($client_ip) > 50 } {
incr ::active_clients($client_ip)
reject
log "Alert! $::active_clients($client_ip) connections to mysite.com from $client_ip"
return
} else {
incr ::active_clients($client_ip)
}
} else {
set ::active_clients($client_ip) 1
}
}
when CLIENT_CLOSED {
set client_ip [IP::remote_addr]
if { [info exists ::active_clients($client_ip)] && ![info exist ::white_client($client_ip)] } {
incr ::active_clients($client_ip) -1
if { $::active_clients($client_ip) <= 0 } {
unset ::active_clients($client_ip)
}
}
}
  • Shay_Ben-David1's avatar
    Shay_Ben-David1
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2006
    Thanks you very much, it works fine.

     

    another thing i want to ask, my web sites are getting lots of DOS attack, this is why i am using this irule, and it really helps, the thing is, that my nodes are also open to the internet (application requirements) so we are also getting DOS to specific nodes, i try to use this irule with the routing vip (forwarding type VIP) to try and reject node attack, but this turn to be useless, my question is regarding this issue, if i can use some kind of irule to block DOS from going to my nodes, and not only to the VIP ?

     

    Thanks

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Oct 22, 2006
    Seems that your iRule would work applied to a forwarding virtual server -- what happens?
  • Shay_Ben-David1's avatar
    Shay_Ben-David1
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2006
    i try using it on the forwarding vip, and all nodes went down, couldn't investigate it because its a production system, do u have any idea why ?

     

    thanks

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Oct 23, 2006
    No clue. That's pretty odd.

     

     

    I'm not sure why any node's status would be affected by this iRule, and in this case that is especially noteworthy as no nodes are associated with a forwarding VS.

     

     

    I'd say a support case is in order to look into that further...

     

     

    /deb