check-request-limits (Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference)

Oracle iPlanet Web Server 7.0.9 Administrator's Configuration File Reference

check-request-limits

The check-request-limits function monitors incoming requests matching a given attribute (for example, client IP address) and computes an average requests per second on a configurable time interval. When requests that match the monitored attribute exceed a threshold that you configure, subsequent matching requests are not serviced until the request rate drops. Use this function to detect possible denial-of-service attacks.

You must specify either max-rps or max-connections, otherwise check-request-limits does nothing. If you do not enter an attribute or attributes to monitor, the function monitors all requests.

By default, the function keeps entries on requests for 300 seconds (five minutes) before purging them. To adjust this time, use the init-request-limits SAF in magnus.conf. For more information, see init-request-limits.

Parameters

The following table describes parameters for the check-request-limits function.

Table 7–17 check-request-limits Parameters


Parameter	Description
`max-rps`	(Optional) Threshold for matching requests per second. If this threshold is exceeded subsequent connections matching the criteria are not serviced. Because an acceptable threshold value can vary widely between sites, there is no default value for this parameter.
`max-connections`	(Optional) Maximum number of concurrent matching connections. If the server receives a request that matches the criteria while the number of matching requests currently being processed meets or exceeds this number, the request is denied. Note that this number is the current requests at any time, and is independent of the `interval`. parameter. As soon as the number of concurrent requests falls below this limit, new matching requests are processed. Because an acceptable value can vary widely between sites, there is no default value for this parameter.
`interval`	(Optional) In seconds, the time interval during which average requests per second is computed. The `max-rps` limit is not applied until the next request rate computation. Because potential attackers can have unlimited requests serviced during this interval, balance the length of this interval against the performance cost of recomputing the maximum requests per second. The default is 30 seconds.
`continue`	(Optional) Determines what condition must be met in order for a blocked request type to become available again for servicing. Valid values are: `silence` – Refused requests must fall to zero in a subsequent interval for service to resume. `threshold` – Refused requests must fall below the `max-rps` value for service to resume. The default value is `threshold`.
`error`	(Optional) The HTTP status code to use for blocked requests. The default value is `503` (the `Service Unavailable` error).
`monitor`	(Optional) A request attribute to monitor. Request rates are tracked in a bucket named by the value of this parameter. If the `monitor` parameter is not specified, the matching requests are tracked in an unnamed (anonymous) bucket. Note that these buckets are different from the buckets you specify with the standard `obj.conf` `bucket` parameter. Although the value of the `monitor` parameter can be a fixed string, it is most useful when you use predefined variables, for example, `monitor="$ip"`. You can also specify multiple variables, separated by a colon. For example, monitor="$ip:$uri". For a list of predefined variables, see Predefined Variables.
`bucket`	(Optional) Common to all `obj.conf` functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter.

Example

The following example limits a client IP to a maximum request rate of 10 requests per second in the default interval of 30 seconds:

PathCheck fn="check-request-limit" monitor="$ip" max-rps="10"

The following example limits a client IP to a maximum request rate of 10 requests per second when accessing any Perl CGIs. Other types of requests are unlimited:

<If path = "*.pl">
PathCheck fn="check-request-limits" monitor="$ip" max-rps="10"
</If>

For more information on using the If tag, see If, ElseIf, and Else.

The following example limits requests globally for Perl CGIs to 10 requests per second. No specific monitor parameter is specified:

<If path = "*.pl">
PathCheck fn="check-request-limits" max-rps="10"
</If>

The following example limits a client IP from generating more than 10 Perl CGI requests per second, or 5 JSP requests per second. To track the Perl and JSP totals separately, the specified monitor parameters contain both a fixed string identifier and the client IP variable:

<If path = "*.pl">
PathCheck fn="check-request-limits" max-rps="10" monitor="perl:$ip"
</If>
<If path = "*.jsp">
PathCheck fn="check-request-limits" max-rps="5" monitor="jsp:$ip"
</If>

The following example limits any one client IP to no more than 5 connections at a given time:

PathCheck fn="check-request-limits" max-connections="2" monitor="$ip"