Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

HTTP Post Flood mitigation with LTM

Go to solution
raydakis
Altostratus
Altostratus

‎27-Oct-2023 02:31

Hello,

Im using TMOS : 16.1.4 with LTM module only.

I want to block IP addresses if HTTP POST requests on login page goes over some limit in specified period of time.
for example if user send 10 "HTTP post" requests in 30s.

Is it possible to use irule or local traffic policies to mitigate these "HTTP Post" Flood attacks ?

Thanks,

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Niels_van_Sluis
MVP
MVP

‎29-Oct-2023 06:53

Hi, here is your overly complicated iRule 😉

when RULE_INIT {
    set static::maxReqs 10;
    set static::timeout 30;
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::method]] equals "post" } { 
        
        # The following expects the IP addresses in multiple X-forwarded-for headers.  It picks the first one.
        if { [HTTP::header exists X-forwarded-for] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        
        set getcount [table lookup -notouch $client_IP_addr]
        if { $getcount equals "" } {
            table set $client_IP_addr "1" $static::timeout $static::timeout
            # record of this session does not exist, starting new record, request is allowed.
        } else {
            if { $getcount < $static::maxReqs } {
                table incr -notouch $client_IP_addr
                # record of this session exists but request is allowed
            } else {
                HTTP::respond 403 content {
                    <html>
                    <head><title>HTTP Request denied</title></head>
                    <body>Your HTTP POST requests are being throttled.</body>
                    </html>
                }
            }
        }
    }
}

Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html

Have fun,

     --Niels

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Paulius
MVP
MVP

‎27-Oct-2023 21:26

@raydakis I'm sure some sort of overly complicated iRule that would end up using more resources then it should can probably be created but ultimately this should be handled by a different device or possibly ASM instead. This article might assist you in your task.

https://my.f5.com/manage/s/article/K14235020

0 Kudos

Go to solution
Niels_van_Sluis
MVP
MVP

‎29-Oct-2023 06:53

Hi, here is your overly complicated iRule 😉

when RULE_INIT {
    set static::maxReqs 10;
    set static::timeout 30;
}

when HTTP_REQUEST {
    if { [string tolower [HTTP::method]] equals "post" } { 
        
        # The following expects the IP addresses in multiple X-forwarded-for headers.  It picks the first one.
        if { [HTTP::header exists X-forwarded-for] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values X-Forwarded-For]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        
        set getcount [table lookup -notouch $client_IP_addr]
        if { $getcount equals "" } {
            table set $client_IP_addr "1" $static::timeout $static::timeout
            # record of this session does not exist, starting new record, request is allowed.
        } else {
            if { $getcount < $static::maxReqs } {
                table incr -notouch $client_IP_addr
                # record of this session exists but request is allowed
            } else {
                HTTP::respond 403 content {
                    <html>
                    <head><title>HTTP Request denied</title></head>
                    <body>Your HTTP POST requests are being throttled.</body>
                    </html>
                }
            }
        }
    }
}

Credits for this iRule goes to F5. It's a slightly modified version of the iRule that can be found here: https://irules-http.readthedocs.io/en/latest/class2/module1/lab2.html

Have fun,

     --Niels

0 Kudos

Go to solution
raydakis
Altostratus
Altostratus
In response to Niels_van_Sluis

‎30-Oct-2023 07:27

Hello Niels,

i'll try this irule in my labs environnement this week.

Thanks 👍

raydakis

0 Kudos
Copyright © 2023 Khoros, LLC