Hello,
So I made you a little Irule that already use long time agou 🙂 for ddos (because my customer had not asm...).
As you can notice I use table/subtable, it's a simple and effective way to store information.
For the blocage you can respond a specific message or sen an reject/drop.
You can too add blocage for other response and modify time for blocage or occurence...
So keep me in touch
when HTTP_REQUEST {
set clientip [IP::client_addr]
set incrementvalue [table lookup -notouch -subtable restriction $clientip]
log local0. "$incrementvalue"
if {$incrementvalue > 2} {
HTTP::respond 200 content "Reject bla bla bla"
reject
}
}
when HTTP_RESPONSE {
set httpstatus [HTTP::status]
for information you can add additional status in order to block it, example 500
if { ($httpstatus starts_with "4") } {
if {$incrementvalue == ""} {
table set -subtable restriction $clientip 1 3600
} else {
set incrementvalue "[expr ($incrementvalue + 1)]"
table set -subtable restriction $clientip $incrementvalue 3600
}
}
}