ADC

Examples of rate-based policies

This topic lists some examples of rate-based policies.

Limit the number of requests from a URL

Run the following commands to limit the number of requests per second from a URL:

add stream selector ipStreamSelector http.req.url "client.ip.src"

add ns limitIdentifier ipLimitIdentifier -threshold 4 -timeSlice 1000 -mode request_rate -limitType smooth -selectorName ipStreamSelector

add responder action myWebSiteRedirectAction redirect "\"http: //www.mycompany .com/\""

add responder policy ipLimitResponderPolicy "http.req-url.contains(\"myasp.asp\") && sys.check_limit(\"ipLimitIdentifier\")" myWebSiteRedirectaction

bind responder global ipLimitResponderPolicy 100 END -type default
<!--NeedCopy-->

Cache a response for the request URL

Run the following commands to cache a response if the request URL rate is more than 5 per 20000 milliseconds:

add stream selector cacheStreamSelector http.req.url

add ns limitidentifier cacheRateLimitIdentifier -threshold 5 -timeSlice 2000 -selectorName cacheStreamSelector

add cache policy cacheRateLimitPolicy -rule "http req.method.eq(get) && sys.check_limit \"cacheRateLimitIdentifier\")" -action cache

bind cache global cacheRateLimitPolicy -priority 10
<!--NeedCopy-->

Drop a connection based on cookies

Run the following commands to drop a connection based on the cookies when the following conditions are met:

  • cookies are received in requests from www.mycompany.com
  • the number of requests are more than the rate limit
add stream selector reqCookieStreamSelector "http req.cookie «value(\"mycookie\")" "client.ip.src.subnet(24)"

add ns limitIdentifier myLimitIdentifier -Threshold 2 -timeSlice 3000 -selectorName reqCookieStreamSelector

add responder action sendRedirectUrl redirect '\"http://www.mycompany.com\" + http.req.url' -bypassSafetyCheck YES

add responder policy rateLimitCookiePolicy "http. req.url.contains(\"www.yourcompany.com\") && sys check_limit(\"myLimitIdentifier\")" sendRedirectUrl
<!--NeedCopy-->

Drop a DNS packet from a particular IP address

Run the following commands to drop a DNS packet if the requests from a particular client IP address and DNS domain are more than the rate limit:

add stream selector dropDNSStreamSelector client udp.dns.domain client.ip.src

add ns limitIdentifier dropDNSRateIdentifier -timeslice 20000 -mode request_rate -selectorName dropDNSStreamSelector -maxBandwidth 1 -trapsintimeslice 20

add dns policy dnsDropOnClientRatePolicy "sys check_limit (\"dropDNSRateIdentifier\")" -drop yes
<!--NeedCopy-->

Limit the number of HTTP requests from the same host

Run the following commands to restrict the number of HTTP requests that:

  • Originate from the same host
  • Use a subnet mask of 32
  • Are directed to the same destination IP address
add stream selector ipv6_sel CLIENT.IPv6.SRC.SUBNET(32) CLIENT.IPv6.DST HTTP.REQ.URL

add ns limitIdentifier ipv6_id -timeSlice 20000 -selectorName ipv6_sel

add lb vserver ipv6_vip HTTP 3ffe::209 80 -persistenceType NONE -cltTimeout 180

add responder action redirect_page redirect "\"http://redirectpage.com/\""

add responder policy ipv6_resp_pol "SYS.CHECK_LIMIT(\"ipv6_id\")" redirect_page

bind responder global ipv6_resp_pol 5 END -type DEFAULT
<!--NeedCopy-->
Examples of rate-based policies