Dan Makovec’s blog

iRule for throttling clients under F5 BigIP LTM

We had a little problem with a DDoS attack this morning on DirectoryAustralia, so I was forced to go down the path of using Apache mod_rewrite to blockany access by a given user agent whose identity had been borrowed by a rogue bot.  Not pretty, but it got the site back on track.The problem with this approach is that it still means the requests come in to the load balancers, get assigned a worker node, hit the node, get run through the Apache rewrite checks, then get rejected.  It also means more config syncing between multiple servers.I thought to myself that given we’ve purchased a couple of really pricey F5 Big IP load balancers, surely there would be a way of having them generically throttle connections per IP without having to burden the servers with the effort of doing so? So I dug around a little into the F5 iRule syntax, and hit this page, which presented some nifty solutions that helped.  Here’s one derived iRule, based on the third rule listed in the above page, helpfully called Cap_connections_per_IP

when RULE_INIT {

    array set ::active_clients { }

}

when CLIENT_ACCEPTED {    set client_ip [IP::remote_addr]    if { [info exists ::active_clients($client_ip)] } {        if {$::active_clients($client_ip) > 10 } {            reject            log local0. "Reject overactive IP $client_ip ($::active_clients($client_ip))"            return        } else {            incr ::active_clients($client_ip)        }    } else {        set ::active_clients($client_ip) 1    }}when CLIENT_CLOSED {    set client_ip [IP::remote_addr]    if { [info exists ::active_clients($client_ip)] } {        incr ::active_clients($client_ip) -1        if { $::active_clients($client_ip) <= 0 } {            unset ::active_clients($client_ip)        }    }}