Jump to content
Welcome to our new Citrix community!

Question about rate limiting from a particular source IP?


Ross Helfand

Recommended Posts

Hello everyone,

 

I have what I think is a pretty simple rate limiting policy, but I'm trying to test it out and I'm getting confused.  The policy looks like this:

 

add stream selector myapp_sel CLIENT.IP.SRC

add ns limitIdentifier myapp_limit -threshold 1750 -timeSlice 60000 -selectorName myapp_sel

add responder policy myapp_rate_limit_pol "sys.CHECK_LIMIT(\"myapp_limit\")" DROP NOOP

bind lb vserver myapp_lb_vs -policyName myapp_rate_limit_pol -priority 110 -gotoPriorityExpression END -type REQUEST

I think this should be DROPing anything above 1750 connections per minute from any single IP.

 

I see that, at some point the policy has been hit:

> stat responder policy myapp_rate_limit_pol

Responder Policy Statistics
Name           Hits Rate(/s) UndefHits Rate(/s)
myapp...t_pol 1647771        0        0        0
 Done

However, the requesting team has been having issues, so I tried to test just doing some simple 'curl' in parallel, and I can't seem to trigger the rule.  Looking at this makes me think I'm missing some simple logic somewhere:

> show ns limitsessions myapp_limit
1)	Time Remaining:       64 secs  Hits: 3049 				Action Taken: 0
 	Total Hash:     476428  Hash String:
	IPs gathered:
		1) 10.NN.NN.19
	Active Transactions: 0
2)	Time Remaining:       67 secs  Hits: 44621 				Action Taken: 0
 	Total Hash:     181935  Hash String:
	IPs gathered:
		1) 10.NN.NN.182
	Active Transactions: 0

<SNIP>

(Ignore the "NN" in the IP.  I've tried to scrub the output a little)  There are hundreds of connections, but number two seems to indicate 44K hits with 67 seconds remaining.

 

Isn't 'timeSlice' in milliseconds?  I feel like I must be missing something pretty simple here.

 

Thanks!

Link to comment
Share on other sites

There is also a very big difference between Connections and requests/second.  Multiple requests from same client (if we are talking web traffic) are multiple requests over same connection.

 

So, I think it would be unusual for you to simulate a legitimate device getting to 1750 connections in a 1 minute timeslice, unless you used a tool to generate parallel connections.

The trick with rate limiting is to 1) understand the scope of your policy - aka its bind point and expression and 2) what is the appropriate threshold of interest and how that varies based on scope and  limit identifier with or without a selector.

 

Meaning: all traffic on on vserver is going to have a different threshold of interest than all traffic to one page.

All traffic to the vserver vs. all traffic from one ip to the one vserver is also a different threshold of concern.


In your case, are you sure you don't need a requests/second threshold as opposed to a connection limit?

 

 

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...
On 2/22/2022 at 6:11 PM, Rhonda Rowland1709152125 said:

In your case, are you sure you don't need a requests/second threshold as opposed to a connection limit?

 

Hi Rhonda,

 

I just want to clarify here.  Isn't "requests/second" threshold what I configured above?


 

add stream selector myapp_sel CLIENT.IP.SRC

add ns limitIdentifier myapp_limit -threshold 1750 -timeSlice 60000 -selectorName myapp_sel

add responder policy myapp_rate_limit_pol "sys.CHECK_LIMIT(\"myapp_limit\")" DROP NOOP

bind lb vserver myapp_lb_vs -policyName myapp_rate_limit_pol -priority 110 -gotoPriorityExpression END -type REQUEST

I thought what I was doing was limiting to no more than 1750 requests in a 1 minute period for any unique IP?

 

I did some further testing using Locust and was able to get it to drop requests by changing my limitidentifier to -threshold 175 -timeSlice 6000.  I also messed around with BURSTY vs SMOOTH but I am not 100% clear on that.  :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...