Rate Limit

From Tech-Wiki
Revision as of 18:51, 20 May 2019 by Fabricio.Lima (Talk | contribs) (Created page with "Category:F5 Networks '''Back to iRules''' when HTTP_REQUEST { #timeoutvalue is how long requests stay in the auth attempts table set timeoutva...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Back to iRules

when HTTP_REQUEST {
 #timeoutvalue is how long requests stay in the auth attempts table
 set timeoutvalue 30
 #maxattempts is the number of requests that can happen within the timeoutvalue before being shunned
 set maxattempts 20
 #shuntimeout is the time that the source IP will be blocked once it gets shunned
 set shuntimeout 60

 #reset every request if in shun table
 if { [table lookup -subtable "shun" [IP::client_addr]] > 0 } {
  table incr -subtable "shun" [IP::client_addr]
  set totaldrops [table lookup -subtable "shun" [IP::client_addr]]
  reject
  #log local0. "SHUN - Reset connection from [IP::client_addr] - Total: $totaldrops"
  return
 }

 if { ( [string tolower [HTTP::uri]] equals "/auth/login" ) } {
   #placeholder- send back fake auth response if in shun table

  #create large random number to act as an approx unique key - key collisions are not too detrimental
  set randkey [expr { int(100000000 * rand()) } ]
  #log local0. "URI match: created random key $randkey, adding to subtable for [IP::client_addr]"
  table set -subtable [IP::client_addr] $randkey 1 $timeoutvalue

  if { [table keys -subtable [IP::client_addr] -count] > $maxattempts} {
   log local0. "auth rate exceeded for [IP::client_addr], adding IP to shun table. Will unblock if no new conns for $shuntimeout seconds"
   #add source IP to the shun table with value of 1
   #note, this specific request was not blocked, but new connections from same src IP will be blocked on next request
   table set -subtable "shun" [IP::client_addr] 1 $shuntimeout
  }
 }
}