NimbostratusI was curious if there is anyway to set the APM Access Profile setting "Max In Progress Sessions Per Client IP" option to a specefic number, but exclude specefic nat'd addresses from customer's that warrant higher then normal sessions above and beyond the Max. Preventing the possible DOS attacks, without impacting ligitament custmoer's?
MVPHi Brett,
its unfortunately not possible to configure individual settings per client IP.
But you may use the iRule below as a starting point. The iRule uses the
[class][table add/delete -subtable][table keys -count -subtable]iRule to enforce individual "Max In Progress Sessions Per Client IP" settings
when RULE_INIT {
set static::inprogress_session_limit 5
set static::access_policy_timeout 300
}
when ACCESS_SESSION_STARTED {
log local0.debug "Started"
if { [set SessionLimit [class lookup "[ACCESS::session data get "session.user.clientip"]" "DG_My_Trusted_IPs"]] eq "" } then {
set SessionLimit $static::inprogress_session_limit
}
if { [table keys -count -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]"] > $SessionLimit } then {
ACCESS::respond 200 content "To many concurrent logon sessions from your IP address" noserver "Content-Type" "text/html"
ACCESS::session remove
log local0.debug "Login from client IP \"[ACCESS::session data get "session.user.clientip"]\" was blocked. Too many inprogress sessions..."
} else {
table add -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]" "[ACCESS::session data get "session.user.sessionid"]" 1 indefinite $static::access_policy_timeout
}
}
when ACCESS_POLICY_COMPLETED {
table delete -subtable "APMSessions_[ACCESS::session data get "session.user.clientip"]" "[ACCESS::session data get "session.user.sessionid"]"
}
DG_My_Trusted_IPs
ltm data-group internal DG_My_Trusted_IPs {
records {
1.1.1.1/32 {
data 50
}
2.2.2.0/24 {
data 100
}
}
type ip
}
Cheers, Kai