BIG-IP ASM 11.0.0 and later includes protection against slow transaction attacks such as Slow POST, by default. Depending on the attack and environment, you may only need to tune the parameters controlling this protection and ensure that the mechanisms are working by checking the log files as detailed in the following procedure.
Note: Slow transactions dropped in this way receive no response from the server at all, and the connection is terminated without response. This is contrary to the iRule solution, which serves an error page to the client, and contrary to other BIG-IP ASM blocking mechanisms which serve the BIG-IP ASM blocking page in response.
Impact of procedure: If you change the values of the max_slow_transactions or slow_transaction_timeout parameters, you must restart BIG-IP ASM for the new values to take effect. For this reason, you should make these changes during a maintenance window, or you should perform the changes on a standby unit and fail over traffic after the restart has completed.
Log in to the Configuration utility.
Go to Security > Options > Application Security > Advanced Configuration > System Variables.
For Search by Parameter Name, enter slow and select Go.
Configure the values for the max_slow_transactions and slow_transaction_timeout parameters appropriately for the target environment.
Restart the BIG-IP ASM service by entering the following command:tmsh restart /sys service asm
Inspect the /var/log/asm log file for entries like the following:err dcc[8317]: 01310001:3: event code D6983 Slow transactions attack detected - account id: (18), number of dropped slow transactions: (350)