Added DS to enforce a penalty box for certain requests

vmware · Sep 14, 2018 · 145c5db · 145c5db
1 parent fd19b4e
commit 145c5db
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 11 deletions.
diff --git a/rate_limit/add_headers_to_local_response.md b/rate_limit/add_headers_to_local_response.md
@@ -4,21 +4,11 @@ Local Response that is sent by a rate limiter.
 For the script to work you need to set the "custom" rate limiter in the Application
 Profile.
 
-1. On the controller, go to **Templates**
-2. Under the **Application** tab, select and edit your Application Profile 
-   (or create a new one)
-3. Select the **DDoS** tab
-4. Under **Add Rate Limit**, select **Rate Limit all HTTP requests that map to any 
-   custom string to all URLs of the Virtual Service.**
-5. Enter the values for **Threshold** and **Time Period**. 
-   For this particular use-case select **Action** as _Send HTTP Local Response_ and 
-   **Status Code** as _429_. You do not need to upload a file.
-6. Click **Save**
-
 The script below is written to emulate the VS Performance Rate Limiter. So all
 requests to a specific VS are rate limited.
 
 ```lua
+-- Event: HTTP_REQUEST
 resp_headers = {["My-header"]="Header_Data", ["Content-type"]="text/html"}
 resp_body = [[
 <html>

diff --git a/rate_limit/rate_limit_penalty_box.md b/rate_limit/rate_limit_penalty_box.md
@@ -0,0 +1,50 @@
+# Enforce a Penalty Timeout for Blacklisted Clients
+
+The DataScript below makes use of the DS rate limit function and the DS Table API
+to enforce a 'penalty box'for certain type of requests. Here, if a client were to 
+send more than x requests within a time period of t1 seconds, then all future 
+requests from the client will be dropped for t2 seconds.
+For example, if a client sent more than 20 requests in a 10 second period, then drop
+all incoming requests from that client for the next 900 seconds.
+
+**Idea:** Use the DS Table to enforce "Penalty box" for bad/malicious clients.
+If a request from the client is to be rate-limited (i.e. the number of requests 
+exceeded the allowed amount) then create an entry in the table for that client with 
+a lifetime equal to the penalty time. So, for each entry(client) in the table, drop 
+the request from that client. After, the penalty time has passed, the entry in the 
+table will be removed from the table.
+
+> To use the DS rate limiter you must create a rate limiter (that maps to custom strings) in the Application Profile.
+
+```lua
+-- Event: HTTP_REQUEST
+-- Key
+custom_string = avi.vs.client_ip()
+
+-- Note that the key could be any user-generated string that can be used to identify
+-- requests like URLs, Client IP addresses, Request headers, etc.
+
+--[[ For debugging purposes
+   avi.vs.log(custom_string)
+--]]
+
+-- Timeout value
+timeout = 900 -- The penalty time
+
+-- Lookup table
+given_action, remaining = avi.vs.table_lookup(custom_string, 0)
+-- Last argument must be zero to tell table_lookup not to extend the timeout value
+
+if given_action then
+    avi.http.close_conn()
+-- if not found in table
+else
+    count_exceeded, given_action = avi.vs.rate_limit(avi.RL_CUSTOM_STRING, custom_string, true)
+    if count_exceeded then
+        -- If number of requests from this client exceeds the maximum allowed amount
+        -- Then, create an entry in the table for this client with a lifetime of 900s
+        avi.vs.table_insert(custom_string, given_action, timeout)
+        avi.http.close_conn()
+    end
+end
+```
diff --git a/rate_limit/set_up_DS_rate_limiter.md b/rate_limit/set_up_DS_rate_limiter.md
@@ -0,0 +1,12 @@
+# Setting up the DS Rate Limiter in the Application Profile
+
+1. On the controller, go to **Templates**
+2. Under the **Application** tab, select and edit your Application Profile 
+   (or create a new one)
+3. Select the **DDoS** tab
+4. Under **Add Rate Limit**, select **Rate Limit all HTTP requests that map to any 
+   custom string to all URLs of the Virtual Service.**
+5. Enter the values for **Threshold** and **Time Period**. 
+   For this particular use-case select **Action** as _Send HTTP Local Response_ and 
+   **Status Code** as _429_. You do not need to upload a file.
+6. Click **Save**
diff --git a/readme.md b/readme.md
@@ -55,7 +55,10 @@
 [Client Cache Control Behavior](availability/client_cache_control_behavior.md)  
 
 ## Rate Limiting
+[Setting up Rate Limiter to use in DataScript](rate_limit/set_up_DS_rate_limiter.md)
 [Add Custom Headers to Local Response](rate_limit/add_headers_to_local_response.md)
+[Enforce a Penalty Timeout for Blacklisted Clients](rate_limit/rate_limit_penalty_box.md)
+
 ## Troubleshooting
 [Log SSL Version](security/log_ssl_version.md)  
 [Log HTTP Headers](security/log_http_headers.md)