Forum Discussion

André_Amaro_215's avatar
André_Amaro_215
Icon for Nimbostratus rankNimbostratus
Jan 11, 2019

How to limit access by time?

Dear community,

I need to handle requests for a particular domain in a different way. I usually apply a few simple conditions, for example, requests must arrive with the xpto.com header to be forwarded to the pool.

  • I use a BIG-IP LTM 13.0.0.
Now I need a particular domain, if it is called more than 50 times in 10 minutes by a same IP, block this IP for 30 minutes.

From what I've been researching I believe that the FLOW_INIT function helps me with what I need, but I still can not reach my goal.

Below is a simple example of what I use to test:

when HTTP_REQUEST {
    if {[HTTP::host] equals "drop.test:8080"} {
        switch -glob [HTTP::uri] {
            "/test/*" {
                log local0. "/test/ - accept - source: [IP::remote_addr] - uri: [HTTP::host][HTTP::uri]"
                HTTP::respond "Test ok!"
            }
            "/drop/*" {
                log local0. "/drop/ - accept - source: [IP::remote_addr] - uri: [HTTP::host][HTTP::uri]"
                HTTP::respond "Drop ok!"
            }
            default {
                log local0. "reject - source: [IP::remote_addr] - uri: [HTTP::host][HTTP::uri]"
                reject
            }
        }
    }
}
  • You could achieve this using subtables. Use two tables, a "pre-block" table to cache IP information, and a "block" table of IP addresses that have breached your policy. Using the lifetime facility you can create an effective TTL for the connection.

    Example high level overview

    1) Check if IP is in the 'block' subtable.
        yes - block
        no - continue
    
    2) Is the IP in the 'pre-block' subtable
        yes - if counter > 49 add to block table with lifetime of 30 min
            - else increment connection counter where IP is the key, counter is the value. 
    
        no - write IP address to 'pre-block' table with a value of '1' and a lifetime of 30min
    

    See the following link for further reading on subtables https://devcentral.f5.com/articles/v101-the-table-command-subtables