Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Nov 25, 2015

Best way to limit number of "gets" from a single client

I have a website that is taking a pretty large load. The website was recently moved behind the F5. Prior to that they were doing some basic DOS protection on the server itself. They were basically limiting the total number of requests for any object by the same client (50) on the same listener per site interval (which was set to 1 second).

 

I know that the F5 has a lot of ways to limit traffic, but I'm not finding an easy way to mimic this sort of functionality. My question is, what is the best/easiest way to limit the number of "gets" for a single user? Ultimately I want to make sure that a single user can't issue a gabillion gets and negatively impact the site.

 

I've briefly looked at "bandwidth controllers" (but I don't think that's the route to go). I do have ASM, but it's not implemented and this is a production system so I think turning that on and setting it up is not going to be a small LOE. If that's the answer, then so be it, but if there are other/better/easier ways to protect the site from a malicious user please let me know.

 

Thanks in advance!

 

application delivery
BIG-IP
dos
http gets

1 Reply

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Nov 25, 2015

    Actually, I think the ASM would be the best answer here. Within the ASM module, you will find DOS protection profiles that are very easy to configure (limit by TPS increase settings are available). You do not even have to configure ASM security policy; by that I mean you can only use the DOS protection profile for now, and only get involved with building your full ASM security policy when you have more time.

     

    For a LTM-module implementation, there are iRule solutions available in Code Share.