-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added DS to enforce a penalty box for certain requests
- Loading branch information
Nikhil Yerramilli
committed
Sep 14, 2018
1 parent
fd19b4e
commit 145c5db
Showing
4 changed files
with
66 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Enforce a Penalty Timeout for Blacklisted Clients | ||
|
||
The DataScript below makes use of the DS rate limit function and the DS Table API | ||
to enforce a 'penalty box'for certain type of requests. Here, if a client were to | ||
send more than x requests within a time period of t1 seconds, then all future | ||
requests from the client will be dropped for t2 seconds. | ||
For example, if a client sent more than 20 requests in a 10 second period, then drop | ||
all incoming requests from that client for the next 900 seconds. | ||
|
||
**Idea:** Use the DS Table to enforce "Penalty box" for bad/malicious clients. | ||
If a request from the client is to be rate-limited (i.e. the number of requests | ||
exceeded the allowed amount) then create an entry in the table for that client with | ||
a lifetime equal to the penalty time. So, for each entry(client) in the table, drop | ||
the request from that client. After, the penalty time has passed, the entry in the | ||
table will be removed from the table. | ||
|
||
> To use the DS rate limiter you must create a rate limiter (that maps to custom strings) in the Application Profile. | ||
```lua | ||
-- Event: HTTP_REQUEST | ||
-- Key | ||
custom_string = avi.vs.client_ip() | ||
|
||
-- Note that the key could be any user-generated string that can be used to identify | ||
-- requests like URLs, Client IP addresses, Request headers, etc. | ||
|
||
--[[ For debugging purposes | ||
avi.vs.log(custom_string) | ||
--]] | ||
|
||
-- Timeout value | ||
timeout = 900 -- The penalty time | ||
|
||
-- Lookup table | ||
given_action, remaining = avi.vs.table_lookup(custom_string, 0) | ||
-- Last argument must be zero to tell table_lookup not to extend the timeout value | ||
|
||
if given_action then | ||
avi.http.close_conn() | ||
-- if not found in table | ||
else | ||
count_exceeded, given_action = avi.vs.rate_limit(avi.RL_CUSTOM_STRING, custom_string, true) | ||
if count_exceeded then | ||
-- If number of requests from this client exceeds the maximum allowed amount | ||
-- Then, create an entry in the table for this client with a lifetime of 900s | ||
avi.vs.table_insert(custom_string, given_action, timeout) | ||
avi.http.close_conn() | ||
end | ||
end | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Setting up the DS Rate Limiter in the Application Profile | ||
|
||
1. On the controller, go to **Templates** | ||
2. Under the **Application** tab, select and edit your Application Profile | ||
(or create a new one) | ||
3. Select the **DDoS** tab | ||
4. Under **Add Rate Limit**, select **Rate Limit all HTTP requests that map to any | ||
custom string to all URLs of the Virtual Service.** | ||
5. Enter the values for **Threshold** and **Time Period**. | ||
For this particular use-case select **Action** as _Send HTTP Local Response_ and | ||
**Status Code** as _429_. You do not need to upload a file. | ||
6. Click **Save** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters