Re: [load balancing] Cookies

From: Matt Barrette <mattb93 [izzat]>
Date: Fri Mar 30 2007 - 12:40:47 EDT

This is what I'm using: Radware w/Appdirector OS and BWM module and IDS

We tried the rate limit option in BWM config and it didn't work as we wanted
as I remember. It's been a while but I'm trying to get back to making this
work again.

According to the Radware user guide

"MAX Requests Per Second

When the Traffic Flow Max BW parameter is configured and the Traffic
Flow Identification parameter is set to Session Cookie, the device can
track and limit the number of requests, such as HTTP GET, or Post, or
HEAD per Cookie."

So a cookie identifier seems to be required for it to function.

But couldn't a person discard the cookie we give them at every request and
would essentially come and make requests as a new user not subject to the
rules then? I'm pretty sure people write bots that do this.

-----Original Message-----
From: [] On Behalf Of
Iztok Umek
Sent: Wednesday, March 28, 2007 11:20 AM
To: Load Balancing Mailing List
Subject: Re: [load balancing] Cookies

Matt Barrette wrote:
> On the topic....
> Is anyone using cookie inspection for rate limiting the number of
> sessions that can be created over a period of time?
> Basically to block unwanted spidering.
> I'm trying to find a way to rate limit users to a number of
> transactions that allows full function, but keeps them from
> overloading the farm from excessive use.

I know Radware WSD and AppDirector have an option to rate limit users to
number of sessions per minute for example. This would help you out. Not sure
other loadbalancers have that option or not.

lb-l mailing list
Searchable Archive: Load Balancing Digest
Received on Fri Mar 30 12:41:21 2007

This archive was generated by hypermail 2.1.8 : Fri Mar 30 2007 - 12:41:21 EDT