Rate Limiters

Overview

This guide explains the details of the rate limiter on Avi Vantage.

Rate limiting is used to control the rate (count/period) of requests or connections sent or received from a network. For instance, if you are using a virtual service that is configured to allow 1000 connections/second and if the number of connections you make exceeds that limit, then a rate limiting action will be triggered. You can configure this rate-limiting action.

The rate limits allow a better flow of data and increase security by mitigating attacks such as DDoS.

Controlling Rate Limiter

The following are the parameters to control the rate limiter:

  • Count — It is the rate at which the token is generated. A token is consumed every time a connection/request lands on the virtual service. If there is no token, then you can trigger the rate-limiting action.

  • Burst size — It is the maximum number of tokens that can be held by the virtual service at any given time.

  • Period — It is the period on which the rate-limiting will be performed. In the above example, it is 1000 connections/sec. You can configure the period to a different value other than 1 second.

Classifying the Rate Limiter

Classifying Based on the Use Case

The following are the two types of rate limiters based on the use case:

  • Static Rate Limiter

    • Virtual Service Connection Rate Limiter

    • Network Security Rate Limiter

    • DNS policy Rate Limiter

  • Dynamic Rate Limiter

    • Application Profile Rate Limiter

Static Rate Limiter

The static rate-limiter is used to rate limit the number of connections or requests on virtual service in total. For instance, if the virtual service rate limit is configured for 1000 connections/second, it will deny 1001’th connection/request for the configured period.

Virtual Service Connection Rate Limiter

This is configured on virtual service by the attribute name connections_rate_limit. This rate limiter rate limits the number of incoming connections to the virtual service.

The following are the rate limiting action options:

  • Drop Syn Packets

  • Send TCP Reset

  • Report Only

The following is the CLI for virtual service connection rate limiter:


[admin]: configure virtualservice vs1
[admin]: virtualservice> connections_rate_limit
[admin]: virtualservice:connections_rate_limit> rate_limiter 
[admin: virtualservice:connections_rate_limit:rate_limiter> count 1000
Overwriting the previously entered value for count
[admin]: virtualservice:connections_rate_limit:rate_limiter> period 1
Overwriting the previously entered value for count
[admin]: virtualservice:connections_rate_limit:rate_limiter> burst_sz 1000
Overwriting the previously entered value for burst_sz
[admin]: virtualservice:connections_rate_limit> action type rl_action_reset_conn

You can check Performance Limits box in Advanced tab of Applications > Virtual Service window.

performance-limits

For further details on performance limits, refer to Virtual Service Policies user guide.

Network Security Rate Limiter

This rate limiter is configured on the network security policy. It is a policy-based rate limiter, where rules can be selectively applied to the rate limit.

The following are the rate limiting action options:

  • Default Action

Note: For this type of rate limiter, the default period is configured to 1 second.

Example

Assume that you want to rate limit user with IP subnet 172.100.200.0/24 for 1000 connections per second.

The following is the CLI to execute the above request:


[admin:ctrl]: > configure networksecuritypolicy vs-vs1-Default-Cloud-ns
Updating an existing object. Currently, the object is:
+----------------------+------------------------------------------------------------+
| Field                | Value                                                      |
+----------------------+------------------------------------------------------------+
| uuid                 | networksecuritypolicy-fbe7ec92-15bf-4ec8-a8bb-7145b03e3dba |
| name                 | vs-vs1-Default-Cloud-ns                                    |
| rules[1]             |                                                            |
|   name               | Rule 1                                                     |
|   index              | 1                                                          |
|   enable             | True                                                       |
|   match              |                                                            |
|     client_ip        |                                                            |
|       match_criteria | IS_IN                                                      |
|       prefixes[1]    | 172.100.200.0/24                                           |
|   action             | NETWORK_SECURITY_POLICY_ACTION_TYPE_RATE_LIMIT             |
|   log                | False                                                      |
|   rl_param           |                                                            |
|     max_rate         | 1000                                                       |
|     burst_size       | 1000                                                       |
|   age                | 0 min                                                      |
| tenant_ref           | admin                                                      |
+----------------------+------------------------------------------------------------+
[admin]: networksecuritypolicy> rules index 1
[admin]: networksecuritypolicy:rules> rl_param 
[admin]: networksecuritypolicy:rules:rl_param> max_rate 1000
No change in field value
[admin]: networksecuritypolicy:rules:rl_param> burst_size 1000
No change in field value
[admin]: networksecuritypolicy:rules:rl_param> save
[admin]: networksecuritypolicy:rules> save
[admin]: networksecuritypolicy> save

You can update this value in the IP Address field in Policies tab of Applications > Virtual Service window.

network-security

For further details on network security, refer to Virtual Service Policies user guide.

HTTP Security Rate Limiter

It rate limits the total number of incoming requests based on the HTTP security policy configuration. HTTP security policy now supports rate limit per client IP address, per URI path, or both for a given rate limit action.

You can configure rate limiters to control the policy evaluation based on the different parameters. The rate limit objects are same the other rate limiters mentioned above:

  • Count
  • Period
  • Burst

You can configure rate profiles under the action attributes of the HTTP policy. Rate limiters are configured for the following:

  • per_client_ip
  • per_uri_path

The corresponding actions can be any one of the following:

  • Drop the connection
  • Send reset code
  • Log the information in virtual service logs

The following are the steps to configure HTTP security rate limiter:

  1. Login to Avi CLI and use the configure httppolicyset <policy name> command to start configuring http security policy for rate limiting.
    [admin]: > configure httppolicyset example_rl_policy 
    [admin]: httppolicyset> http_security_policy
    [admin]: httppolicyset:http_security_policy> rules index 1 
  2. Configure the rate profiles under the action attributes of the HTTP policy as shown below. In the below example rate profile is chosen as per_uri_path and rate limiter count as 10.

    
    [admin]: httppolicyset:http_security_policy:rules:action> rate_profile
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile> per_uri_path
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile> rate_limiter
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile:rate_limiter> count 10
    Overwriting the previously entered value for count
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile:rate_limiter> save  
  3. Configure the required action once the rate limit is reached as per the configured policies mentioned above. You can set the following configuration to set the action type as rl_action_local_rsp with the response code as http_local_respose_status_code_403.

    
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile> action
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action>
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action> type rl_action_local_rsp
    Overwriting the previously entered value for type
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action> status_code http_local_response_status_code_403
    Overwriting the previously entered value for status_code
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile:action> save
    [admin]: httppolicyset:http_security_policy:rules:action:rate_profile> save
    [admin]: httppolicyset:http_security_policy:rules:action> save
    [admin]: httppolicyset:http_security_policy:rules> save
    [admin]: httppolicyset:http_security_policy> save
    [admin]: httppolicyset> save  
  4. The final configuration output is shown below which exhibits the action to send response code as 403 if the incoming requests cross the limit of 10 requests per 10 seconds for the associated HTTP security policy and the virtual service.

  +------------------------+----------------------------------------------------+
  | Field                  | Value                                              |
  +------------------------+----------------------------------------------------+
  | uuid                   | httppolicyset-91f02717-7dc6-42ff-9b00-1f411d3723df |
  | name                   | example_rl_policy                                  |
  | http_security_policy   |                                                    |
  |   rules[1]             |                                                    |
  |     name               | rl_rule_1                                          |
  |     index              | 1                                                  |
  |     enable             | True                                               |
  |     match              |                                                    |
  |       client_ip        |                                                    |
  |         match_criteria | IS_NOT_IN                                          |
  |         prefixes[1]    | 192.168.100.0/24                                   |
  |     action             |                                                    |
  |       action           | HTTP_SECURITY_ACTION_RATE_LIMIT                    |
  |       rate_profile     |                                                    |
  |         rate_limiter   |                                                    |
  |           count        | 10                                                 |
  |           period       | 10 sec                                             |
  |           burst_sz     | 0                                                  |
  |         action         |                                                    |
  |           type         | RL_ACTION_LOCAL_RSP                                |
  |           status_code  | HTTP_LOCAL_RESPONSE_STATUS_CODE_403                |
  |         per_client_ip  | True                                               |
  |         per_uri_path   | True                                               |
  | is_internal_policy     | False                                              |
  | tenant_ref             | admin                                              |
  +------------------------+----------------------------------------------------+
  

DNS policy Rate Limiter

The DNS policy rate limiter is the policy based rate limiter where you can apply rules specific to the DNS attributes of the request. For instance, if you want to rate limit the DNS, then request to freesale.com to prevent the server from being overwhelmed with request surge.

The following is the CLI to execute the above request:


[admin]: > configure dnspolicy dns1-Policy
[admin]: dnspolicy> rule index 1
[admin]: dnspolicy:rule> action 
[admin]: dnspolicy:rule:action> dns_rate_limiter
[admin]: dnspolicy:rule:action:dns_rate_limiter> rate_limiter_object 
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> count 1000
Overwriting the previously entered value for count
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> burst_sz 1000
Overwriting the previously entered value for burst_sz
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> period 1
Overwriting the previously entered value for period
[admin]: dnspolicy:rule:action:dns_rate_limiter:rate_limiter_object> save

You can check Enable box in DNS Policy tab in Policies tab of Applications > Virtual Service window.

dns-policy

For further details on DNS policy, refer to DNS Policy user guide.

Dynamic Rate Limiter

The dynamic rate limiter is used if you want to rate limit the number of connections/request on virtual service for any user. For instance, if the dynamic rate limiter is configured to do 1000 connections/requests per second, then it will only allow 1000 requests from user A, 1000 requests from user B, and so on.

Application Profile Rate Limiter

These rate limiters are used to create dynamic rate limiters. It is configured on the application profile attached to the virtual service.

The following are the rate limiting action options:

  • Drop Syn Packets

  • Send TCP Reset

  • Report Only

The following is the CLI to configure application profile:


[admin]: applicationprofile> dos_rl_profile 
[admin]: applicationprofile:dos_rl_profile> rl_profile 
[admin]: applicationprofile:dos_rl_profile:rl_profile> client_ip_connections_rate_limit 
[admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit> rate_limiter 
[admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> count 1000
No change in field value
[admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> period 1
No change in field value
[admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> burst_sz 1000
No change in field value
[admin]: applicationprofile:dos_rl_profile:rl_profile:client_ip_connections_rate_limit:rate_limiter> save

You can edit Rate Limit HTTP and TCP Settings section in DDos tab in Application Profile window.

application-profile

For further details on application profile, refer to Application Profile user guide.

DataScript Rate Limiter

Rate Limit is applied using DataScript too. Arbitrary characteristics are defined and evaluated to decide which requests are to count against the rate limit. This gives us maximum flexibility. All the actions which are supported through DataScript, can be applied when the limit is hit.

Starting with Avi Vantage release 18.2.9, the existing rate limit DataScript APIavi.vs.rate_limit is deprecated. The new DataScript API for the rate limit is avi.vs.ratelimit.exceed.

Deprecated DataScript API – avi.vs.rate_limit( type, string_to_limit, [defer_action=False] )

New DataScript API – avi.vs.ratelimit.exceed(rl_name, request_key, [consume])

The following are the parameters used in DataScript rate limiter:

  • rl_name – This refers to the rate limit object name.
  • request_key – This is an arbitrary string used to allow any property or combination of properties to be used to identify requests.
  • consume – This is the number that this API consumes in the rate limiter bucket, The default value is 1. This function indicates whether the request is above the threshold or not.

Configuring DataScript Rate Limiter

Login to the Avi CLI and use configure vsdatascriptset <policy name> command to configure rate limiters. Provide the policy name and assign the desired value of the rate limiters (count, period, and burst size) as shown below.


[admin]: > configure vsdatascriptset rate_limiter_test

[admin]: vsdatascriptset> rate_limiters

[admin]: vsdatascriptset:rate_limiters> count 1

[admin]: vsdatascriptset:rate_limiters> period 15

[admin]: vsdatascriptset:rate_limiters> burst_sz 0

[admin]: vsdatascriptset:rate_limiters> name rl1

[admin]: vsdatascriptset:rate_limiters> save

[admin]: vsdatascriptset> save
  • Use the avi.vs.ratelimit.exceed function in a DataScript with the desired action.

    Example:

    
     result = avi.vs.rate.limit.exceed("test", "key1")
     if result == true the
     avi.vs.log("rl exceeds")
     else
     avi.vs.log("rl does not exceed")
     end