The dynamic rate limiter is used if you want to rate limit the number of connections/ request on virtual service for any user. For instance, if the dynamic rate limiter is configured to do 1000 connections/ requests per second, then it will only allow 1000 requests from user A, 1000 requests from user B, and so on.
The dynamic rate limiter uses a hash key mechanism to apply a distinct rate limiter bucket to each entity (client IP, URL, and so on.) being rate limited. Hash collisions are possible, especially if the number of unique entities being rate limited is large. The default number of buckets is 16k and this can be increased to minimize collisions in such high-scale scenarios. The configuration is made in the Service Engine Group.
The following example shows how to increase the number of buckets to 1M:
[admin:controller]: > configure serviceenginegroup Default-Group [admin:controller]: serviceenginegroup> se_rl_prop msf_stage_size 1048576 [admin:controller]: serviceenginegroup:se_rl_prop> save [admin:controller]: serviceenginegroup> save
This is applicable to all rate limiters for all the virtual services in the SE Group. This will incur significant shared memory usage and must be increased appropriately. A single rate limiter for 1M buckets will need around 64MB of memory.
[admin:controller]: > configure serviceenginegroup Default-Group [admin:controller]: serviceenginegroup> extra_shared_config_memory 64 [admin:controller]: serviceenginegroup> save
The above changes need SE reboot to come in effect.
Application Profile Rate Limiter
These rate limiters are used to create dynamic rate limiters. It is configured on the application profile attached to the virtual service.
The Application Profile Rate Limiter can apply both to HTTP and L4 Application profiles. Rate limiting of both UDP and TCP connections is supported in the case of L4 application profiles.
The following are the application profile rate limiter configured through performance:
TCP Application Profile: Only Rate Limit connection from a Client option is available. You can configure one of the following actions:
Report only (
rl_action_none
)Drop Syn packets (
rl_action_drop_conn
)Send reset (
rl_action_reset_conn
)
UDP Application Profile: Only Rate limit connection from a client option is available. You can configure one of the following actions:
Report Only (
rl_action_none
)Drop UDP packets (
rl_action_drop_conn
)ICMP port unreachable (
rl_action_reset_conn
)
HTTP Application Profile: The following rate limiters are available in this profile:
Rate Limit connections from a client (which is available in TCP/ UDP as well)
Rate Limit Request from a Client to all URLs. The action types are as follows:
Report only (
rl_action_none
)Close TCP connection (
rl_action_close_conn
)Send HTTP local response (
rl_action_local_rsp
)Send HTTP Redirect (
rl_action_redirect
)
Rate Limit failed requests from a client to all URLS. The action types are as follows:
Report only (
rl_action_none
)Close TCP connection (
rl_action_close_conn
)Send HTTP local response (
rl_action_local_rsp
)Send HTTP Redirect (
rl_action_redirect
)
Rate Limit failed Requests from all client to a URL. The action types are as follows:
Report only (
rl_action_none
)Close TCP connection (
rl_action_close_conn
)Send HTTP local response (
rl_action_local_rsp
)Send HTTP Redirect (
rl_action_redirect
)
Rate Limit all HTTP requests that map to any customer string all URLS of the virtual Service. The action types are as follows:
Report only (
rl_action_none
)Close TCP connection (
rl_action_close_conn
)Send HTTP local response (
rl_action_local_rsp
)Send HTTP Redirect (
rl_action_redirect
)
Rate Limit failed requests from a client to a URL. The action types are as follows:
Report only (
rl_action_none
)Close TCP connection (
rl_action_close_conn
)Send HTTP local response (
rl_action_local_rsp
)Send HTTP Redirect (
rl_action_redirect
)
Rate Limit scans from a Client to all URLS. The action types are as follows:
Report only (
rl_action_none
)Close TCP connection (
rl_action_close_conn
)Send HTTP local response (
rl_action_local_rsp
)Send HTTP Redirect (
rl_action_redirect
)
Rate Limit scans from all client to all URLS. The action types are as follows:
Report only (
rl_action_none
)Close TCP connection (
rl_action_close_conn
)Send HTTP local response (
rl_action_local_rsp
)Send HTTP Redirect (
rl_action_redirect
)
The following is the CLI to configure application profile:
[admin]: applicationprofile> dos_rl_profile [admin]: applicationprofile:dos_rl_profile> rl_profile [admin]: applicationprofile:dos_rl_profile:rl_profile> client_ip_connections_rate_limit [admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit> rate_limiter [admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> count 1000 No change in field value [admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> period 1 No change in field value [admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> burst_sz 1000 No change in field value [admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> save
You can edit Rate Limit HTTP and TCP Settings section in DDos tab in Application Profile window.