Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Nov 12, 2015

Connection Rate Limit - any way to access blacklist

Hi,

 

On virtual it's possible to set Connection Rate Limit with different modes. Let's say it's Per Virtual Server and Source Address. Then different Source Mask can be set. Those limits has to use kind if counter to figure out if number of CPS from given IP/Net is above set limit. I wonder if there is any way to access this "blacklist" via iRule/iCall/iControl or in some other way? The idea is to use build in mechanism for detecting threshold violations and then use blacklisted IPs for another script/device/etc.

 

Piotr

 

4 Replies

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Hi, Sure I can. Probably I will, I just was curious if there is a way to use what is already there somehow. I know now that for example data created by AVR can be retrieved via iStats, seems that it's not the case here. Anyway, seems that I will have to try my best to create kind of iRule for what I need - unfortunately I am far from being expert here. Maybe you can point me out to some good starting point for something like that - I would HTTP Session Rate Limit :-) Overall idea is: 1. Set the TCP connection and connection rate thresholds 2. If thresholds are not crossed allow any new TCP connection 3. If one of the threshold is exceeded start HTTP session checking 4. Verify presence of our validation cookie 5. Based on URI requested either allow TCP conn and HTTP request inside or drop it 6. Be able to set ovesubscription for TCP conn for HTTP request to specific URI (with correct cookie) - so such TCP conn are allowed even if thresholds are crossed but only if result will be exceeding limit by x% 7. Rate limit should be flexible - similar to virtual Connection Rate Limit mode - Per Virtual Server and Source Address - so being able to set mask for rate limit So in the end it should promote tcp connections containing http requests with session/validation cookie over ones without, but only when thresholds are crossed. In the end we want to allow users who already started session to be able to finish it, and users that do not start session to wait. Connection Limit/Rate Limit is a bit too generic and to low in the stack, we need this added functionality. Appreciate any links to topic covering similar case. Piotr
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account

    The data store you can use for this on-device is the session table:

     

    I imagine that you can key the entries in the table per IP address.

     

    Other than this, you are going to have to build the logic up.

     

    Application Security Module (ASM) has some pieces that can be configured to accomplish something like this without having to write code (Anomaly detection and DOS Profiles, particularly in version 12.0). Are you familiar with these, or have you taken a look at them?

     

  • Hi,

     

    Yes, I know ASM but this is not exactly the same functinality. It's more like static limiting without detecting attacks/violations. Seems that both DOS Profiles as well as Web Scraping protection is not enough - both are enabled. Issue is preventing ASM overload - device is too weak for load. I know that this is a bit artificial solution but I have to work with what I have.

     

    Will try to figure out how to arrange it with iRule but first thing is to figure out logic more precise. I assume that there could be some flaws with what I already described :-(

     

    Piotr