Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters

Rate limiting - one req per second?

Using ASM - DoS or iRules is it possible to limit one request per second per session? We've had pen testers in the past manage to send 200 requests simultaneously using Burp Sniper multi threaded to achieve a Time of check time of use bug - is this too sensitive for F5 to solve?


Rate this Question

Answers to this Question


It is possible to rate-limit requests even using LTM (using rate-limit class or connection limits) however this will not fix your problem as Time of Check/Time of Use bug is race condition inside your application and should ultimately be fixed by the application developers.

F5 devices are incredibly powerful capable of processing hundreds of thousands of requests per second (in fact 12250v box supports 4 MILLION requests per second) and you want to make F5 4 million times slower because of a buggy application? Sorry for a bit of a rant, but if application developers are available then this is really a bug for them to fix.

To slow down the connection rate you don't actually need ASM - just use the connection rate limit setting on the Virtual Server.


With ASM or AFM you can use Dos Profile settings...

Security ›› DoS Protection : DoS Profiles ›› Create New DoS Profile...

 Application Security ›› TPS-based DoS Detection
    TPS reached:  xxx transactions per second

You will need to experiment to determine appropriate values for these settings. If you enable DeviceID in your ASM policy, the client must support Javascript, and may be blocked if it does not do so (even for a policy in Alarm only or Transparent mode). You should also establish a baseline of acceptable traffic levels before trying to exceed TPS detection.

ASM Webscraping protection may also be of value ...

Security ›› Application Security : Anomaly Detection : Web Scraping

Comments on this Answer
Comment made 15-Oct-2017 by samstep 1923

I believe that using ASM is not really suitable in this case as it appears that the requirement is to rate-limit the access and queue the excessive requests and not to BLOCK them. None of these suggestions will fix the TOCTOU vulnerability anyway, see: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Comment made 15-Oct-2017 by S Blakely

My interpretation of the specific request was to rate limit requests per session

limit one request per second per session?

ASM/L7 DoS profiles provide session tracking via IP or DeviceID, and can rate-limit requests based on rate increase or pure TPS values.

It may or may not address a specific issue (which is an application issue), but ASM does provide solutions to prevent a specific client from making too many requests in a specific time period.

I wouldn't want to try to go as low as 1 request per second per session, but reasonable limits can be applied (with some testing).

Comment made 16-Oct-2017 by PowerShellDon 112

Thanks for answers. I understand and would prefer an app level fix but that's a separate issue i'm raising.

Under Virtual Servers i can see "Connection Rate Limit and Limit Mode"

However i don't wait to rate limit all traffic to a VS, just on a specific API endpoint ie. foo.bar/foo

The only appropriate option there looks like "Per Source Address" but this is across all servers which have Rate Limiting turned on, which doesnt sound ideal either.