i am not familiar with xml. anyway, i think you may start from Blocking DNS Flood Attacks example in article below.
v10.1 - The table Command - Examples by Spark
https://devcentral.f5.com/tech-tips/articles/v101-the-table-command-examples
this is non-tested code. what it does is it counts request per second per client ip. when it exceeds 100 requests per second (static::maxquery), the client ip will be hold for 600 seconds (static::holdtime). if the request does not exceed, we will collect request payload and reject if it contains searching string (static::search_string).
in case if you want to limit request per second globally (not per client ip), you just change srcip variable to static value (instead of client ip).
when RULE_INIT {
set static::maxquery 100
set static::holdtime 600
set static::search_string "whatever string"
}
when HTTP_REQUEST {
if { [HTTP::header Content-Type] equals "text/xml" } {
set srcip [IP::remote_addr]
if { [table lookup -subtable "blacklist" $srcip] != "" } {
drop
return
}
set curtime [clock second]
set key "count:$srcip:$curtime"
set count [table incr $key]
table lifetime $key 2
if { $count > $static::maxquery } {
table add -subtable "blacklist" $srcip "blocked" indef $static::holdtime
table delete $key
drop
return
}
if { [HTTP::header "Content-Length"] ne "" and [HTTP::header "Content-Length"] <= 1048576 } {
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
if { $content_length > 0 } {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
if { [HTTP::payload] contains $static::search_string } {
reject
}
}