How to limit the SSL TPS per VIP

Hi Greg,

 

 

I'm not aware of any simple ways to limit SSL TPS in 10.1. Did the salesperson give you any hints on what they were thinking of? If it was a native options for limiting SSL TPS per VIP, I'd think the option would need to be on a client SSL profile. I don't see anything like this in 10.1 though.

 

 

Maybe they were thinking of using the new table command? There are a few examples on the table wiki page as well as the iRule Codeshare for using the table command to limit TCP connections or HTTP requests to a VIP. Maybe you could adapt one of these?

 

 

table wiki page

 

http://devcentral.f5.com/wiki/default.aspx/iRules/table

 

 

HTTP Session Limit using the table command

 

http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_Session_Limit.html

 

 

Aaron

Mmmm....

 

 

You'll need to write an iRule as Aaron says. When you do, keep your timeslices at 5ms or less. (10ms is the system timeslice for counting SSL transactions. You need to be less than that if your aim is to ensure that the VS you're counting isn't going to blow the TPS license for everyone else).

 

 

 

H

Correct.....We were advised that it would require an iRule.

 

 

I am not sure that limiting the HTTP Sessions will give us the desired results. I would hate to guess too high or too low on the relationship between HTTP Sessions & SSL TPS.

hey ,

 

 

was anybody able to do implement an irule that can limit the TPS per vip ??

 

 

 

It could be you :). You could use the table command to track successful SSL handshakes in the CLIENTSSL_HANDSHAKE event:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/clientssl_handshake

 

http://devcentral.f5.com/wiki/default.aspx/iRules/table

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2375/v101--The-table-Command--The-Basics.aspx

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/2381/v101--The-table-Command--Counting.aspx

 

 

Aaron

I'd suggest as a starting point, the iRule http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_Session_Limit.html it should be relatively easy (He says without taking the time to think it though himself :) to modify it to track SSL negotiations instead.

 

 

H

Oh... The reason I suggest using that iRule as a base is the perennial problem of not just counting SSl TPS... but also making sure that existign users don't get locked out by a random attack... You want to have 2 lmits... One for ALL negotiations (Including unknown/new users). And one slightly higher reserved for existing sessions. So ensuring that a ruch of new clients won't blow out existing users half way.

 

 

Also you'll probably want a way to track the sessions and delete any you don't like/want... Like a manual blacklist. You could use classes, or in-memory tables. YMMV (Each has its advantages/disadvantages)

 

 

H

Just as an aside... I'm also interested in this, but no time at the moment (Firewalls calling :) for the next few weeks... If anyone would like to collaborate, I probably can spare a few cycles to work with someone.

 

 

H

There's an iRule that's most of the way there posted out on DevCentral already in David Holmes' blog about SSL Renegotiation (http://devcentral.f5.com/weblogs/david/archive/2011/05/16/ssl-renegotiation-dos-irule-updates.aspx üòû

    when RULE_INIT {
        set static::maxquery 5
        set static::mseconds 60000
    }
    when CLIENT_ACCEPTED {
        set ssl_hs_reqs 0
    }
    when CLIENTSSL_HANDSHAKE {
        incr ssl_hs_reqs
        after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }
        if { $ssl_hs_reqs > $static::maxquery } {
            after 5000
            log "Handshake attack detected, dropping [IP::client_addr]:[TCP::client_port]"
            drop
        }
    }

That could very easily be modified to fit your needs I think. It's already tracking how many handshakes there are in a given time period, you'd just need to modify the behavior and parameters a bit.

Colin