NimbostratusHi ,
I'm looking for an 1 irule (or maybe 2 combined) to rate limit http response error codes coming from same client .
What we want to create is a check where a client that is coming is is checked . If he gets a 400 error code , we want to log it . When the same client would get the 400 error more than 2 times in 1 hour ,it should be blocked .
Does anybody know irule code for performing this ?
CumulonimbusHello,
When you tell comming from the same client. You talk about this source IP address?
regards
Nimbostratusyes,
same client IP can get 2 * 400 error in a given timeframe . If it's exceeded , client IP needs to be blocked for a given time for avoiding retries.
After given time, all can be rest again .
We use some client IP rate limit irule . But they are simply based on client IP and how many times client IP is hitting specific Virtual Server/Uri . But here we need to count the http response error code . And block client IP if it get the same error page more than 2 times in specific timeframe.
CumulonimbusHello,
So I made you a little Irule that already use long time agou 🙂 for ddos (because my customer had not asm...).
As you can notice I use table/subtable, it's a simple and effective way to store information.
For the blocage you can respond a specific message or sen an reject/drop.
You can too add blocage for other response and modify time for blocage or occurence...
So keep me in touch
when HTTP_REQUEST {
set clientip [IP::client_addr]
set incrementvalue [table lookup -notouch -subtable restriction $clientip]
log local0. "$incrementvalue"
if {$incrementvalue > 2} {
HTTP::respond 200 content "Reject bla bla bla"
reject
}
}
when HTTP_RESPONSE {
set httpstatus [HTTP::status]
for information you can add additional status in order to block it, example 500
if { ($httpstatus starts_with "4") } {
if {$incrementvalue == ""} {
table set -subtable restriction $clientip 1 3600
} else {
set incrementvalue "[expr ($incrementvalue + 1)]"
table set -subtable restriction $clientip $incrementvalue 3600
}
}
}