Forum Discussion
Kai_Wilke
Jan 31, 2018MVP
Hi Ryan,
the problem with your iRule is, that it would DoS your entire application once
[table keys -subtable conns -count]
has reached its configured limit. Even the [IP::client_addr]
which has been allowed before will become blocked.
You may take a look to the iRule below how I would solve the puzzle. My iRule would allow the already known
[IP::client_addr]
until their [table -subtable]
entry expires and then allow another [IP::client_addr]
to access the application until its entry expires...
when RULE_INIT {
set static::ip_limit 2000
set static::ip_timeout 900
}
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool syslog-servers.pool]
}
when HTTP_REQUEST {
Delete all IPs
table delete -subtable conns -all
if { [table lookup -subtable conns [IP::client_addr]] ne "" } then {
The client is currently known in the table.
Already refreshed the clients table entry.
Allow the request...
} elseif { [table keys -subtable conns -count] < $static::ip_limit } then {
The client is not known in the table.
The connection limit has not been reached.
Create a new entry for the client.
table set -subtable conns [IP::client_addr] 1 $static::ip_timeout indef
Allow the request...
} else {
The client is not known in the table.
The connection limit has been reached.
Log the request...
HSL::send $hsl ":: Source IP limit ($ip_limit) hit for pool, redirecting to maintenance page."
Display maintenance page...
call maintenance_page.irule::display_page
}
}
Note: I've removed the pool logic, since it shouldn't considered as security control. The premptive
of your meintenance macro should be more than sufficent...[HTTP::respond]
Cheers, Kai