devnullNZ
Jun 25, 2014Nimbostratus
Bit shifting in exponential backoff rule - bug?
been looking at using a modified version of this to mitigate brute force login attempts on a site:
https://devcentral.f5.com/wiki/iRules.POST-Request-Exponential-Backoff.ashx
But looking at the formula, there seems to be an error.
if { $prev_attempts eq "" } { set prev_attempts 0 }
OK, so this says if the variable is uninitialized, we set it to zero
set new_lockout [expr (1 << ($prev_attempts-1))]
But this has the potential of putting a -1 on the right hand side, which makes it undefined. Checking it in tclsh seems to confirm that the result of the expression will be invalid:
% expr 1 << (0-1) -2147483648 % exit
So my question is, shouldn't the $prev_attempts variable be initialized to "1", not "0"?