Client IP address restrictions on Server Load balancer

Many websites that provide public services may encounter performance problems caused by a large number of accesses from a single client IP address, which may be attack traffic, it may also be accessed by several clients from the proxy server or NAT device backend. How to effectively limit these traffic without affecting normal user usage? Different types of products provide different levels of protection in this respect. Now A10Server Load balancerThe product ax is used as an example to describe how to implement Client IP address restrictions. This article mentions the semi-connections when all connections are full TCP connections or the syn-Cookie function is not enabled. Server Load balancer provides strong protection capabilities for syn-flooding protection, which is not discussed in this article. You can also set total connections or connection speed limits for servers and virtual servers, which is not covered in this article.

First, the resource usage of a client is reflected in the following aspects:

• Number of concurrent connections. It consumes server connection resources to enable a large number of connections at the same client IP address.
• New connection rate. Number of new connections per second for the same customer IP Address
• The number of layer-7 concurrent requests and the number of concurrent requests from the same client IP address. The number of concurrent connections limits the number of TCP connections, but one TCP connection can send many HTTP requests.
• Layer-7 Request Rate. Because a TCP connection has multiple layer-7 requests, the pure TCP connection limit may not be effectively protected. Popular CC attacks use a few TCP connections to send a large number of HTTP requests.
• Bandwidth usage. As a Server Load balancer device, connection-based processing is more reasonable. After a reasonable number of connections and requests are limited, the bandwidth is also limited accordingly.

Server Load balancer devices usually have sufficient concurrent connections and new connection processing performance to forward these connections to the server, but the server is often unable to bear these burdens, therefore, the Client IP address is limited in many cases to avoid server overload. However, server-specific connection restrictions may affect all clients. Based on the Client IP address, you can ensure that users who are not in excessive use are not affected, but only attack traffic and users who are in excessive use receive restrictions.

The following describes how it works and involves some configurations.Command.

• Ax can define an IP list called a class list. A maximum of 255 class lists can be defined. Each class list can contain 8 million Host IP addresses (/32 mask) and 64 K network subnets. The class list can exist as a file.
• The format of the class list is as follows:

IPADdR/network-Mask[GLID Num|Lid Num] [Age Minutes] [;Comment-STrIng]

The lid is the limiting ID, which is the number of the restriction rule defined under a policy;

The GLID is the global limiting ID, which is the globally defined restriction rule number;

Age can be used to set how long the entry will be deleted. It is only applicable to Host IP addresses and can be used to restrict the IP addresses of suspicious attacks for a short time.

For example:

1.1.1.1/32 lid 1
2.2.2.0/24 lid 2; lid 2 applies to every single IP of thisSuBnet
0.0.0.0/0 lid 10; lid 10 applied to every undefined Single IP
3.3.3.3/32 GLID 3; Use global lid 3

• Define the corresponding restriction rules under lid or GLID, you can define the number of concurrent connections per IP address, the number of new connections per ms, the number of concurrent requests, the number of requests per ms, and the optional actions when the limit is exceeded (forwarding, reSet, Lock, log)

Conn-LimitNum
Conn-rate-LimitNumPerNum-of-100ms
Request-LimitNum
Request-rate-LimitNumPerNum-of-100ms

Over-limit-action[Forward| Reset][LockoutMinutes] [LogMinutes]

Example:

Ax (config-Policy) # class-list lid 1
Ax (config-policy lid) # request-rate-limit 50 per 1
Ax (config-policy lid) # request-limit 60000
Ax (config-policy lid) # Over-limit reset Logging

• The Policy template defines the name of the class list used and the corresponding lid rule, for example

Ax (config) # SLB template policy vp_policy
Ax (config-Policy) # class-list name vp_list
Ax (config-Policy) # class-list lid 1
Ax (config-policy lid) # request-rate-limit 50 per 1
Ax (config-policy lid) # request-limit 60000
Ax (config-policy lid) # Over-limit reset Logging

• Apply the restriction policy to VIP, vport, or global. In the following example, apply the restriction policy to the number of HTTP requests under vport 80.

Ax (config) # SLB virtual server VS1
Ax (config-SLB Virtual Server) # port 80 HTTP
Ax (config-SLB virtual server-SLB virtua...) # template policy vp_policy

When formulating restrictions, we should consider the use of the same IP address by several clients on the proxy server and the NAT device backend. The restrictions are gradually lowered from the greater limit. Alternatively, you can obtain the IP address in a way that only logs are not restricted. After analyzing the IP address, you can define a specific restriction policy.