Product Documentation

Examples of Rate-Based Policies

Apr 18, 2013

The following table shows examples of rate-based policies.

Table 1. Examples of Rate-Based Policies



Limit the number of requests per second from a URL

add stream selector ipStreamSelector http.req.url "client.ip.src" 
add ns limitIdentifier ipLimitIdentifier -threshold 4 -timeSlice 1000 
 -mode request_rate -limitType smooth -selectorName ipStreamSelector 
add responder action myWebSiteRedirectAction redirect 
add responder policy ipLimitResponderPolicy "http.req.url.contains(\"myasp.asp\") 
 && sys.check_limit(\"ipLimitIdentifier\")" myWebSiteRedirectAction 
bind responder global ipLimitResponderPolicy 100 END -type default

Cache a response if the request URL rate exceeds 5 per 20000 milliseconds

add stream selector cacheStreamSelector http.req.url 
add ns limitidentifier cacheRateLimitIdentifier -threshold 5 -timeSlice 2000 
 -selectorName cacheStreamSelector 
add cache policy cacheRateLimitPolicy -rule "http.req.method.eq(get) 
 && sys.check_limit(\"cacheRateLimitIdentifier\")" -action cache 
bind cache global cacheRateLimitPolicy -priority 10

Drop a connection on the basis of cookies received in requests from if the requests exceed the rate limit

add stream selector reqCookieStreamSelector "http.req.cookie 
.value(\"mycookie\")" "client.ip.src.subnet(24)" 
add ns limitIdentifier myLimitIdentifier -Threshold 2 -timeSlice 3000 
 -selectorName reqCookieStreamSelector 
add responder action sendRedirectUrl redirect '\"\" 
 + http.req.url' -bypassSafetyCheck YES 
add responder policy rateLimitCookiePolicy 
 && sys.check_limit(\"myLimitIdentifier\")" sendRedirectUrl

Drop a DNS packet if the requests from a particular client IP address and DNS domain exceed the rate limit

add stream selector dropDNSStreamSelector client.udp.dns.domain client.ip.src 
add ns limitIdentifier dropDNSRateIdentifier -timeslice 20000 -mode request_rate 
 -selectorName dropDNSStreamSelector -maxBandwidth 1 -trapsintimeslice 20 
add dns policy dnsDropOnClientRatePolicy "sys.check_limit 
(\"dropDNSRateIdentifier\")" -drop yes

Limit the number of HTTP requests that arrive from the same subnet (with a subnet mask of 32) and that have the same destination IP address.

add stream selector ipv6_sel "CLIENT.IPv6.src.subnet(32)" CLIENT.IPv6.dst Q.URL 
add ns limitIdentifier ipv6_id -imeSlice 20000 -selectorName ipv6_sel 
add lb vserver ipv6_vip HTTP 3ffe::209 80 -persistenceType NONE -cltTimeout 180 
add responder action redirect_page redirect "\"\"" 
add responder policy ipv6_resp_pol "SYS.CHECK_LIMIT(\"ipv6_id\")" redirect_page 
bind responder global ipv6_resp_pol 5 END -type DEFAULT