Forum Discussion

young19918's avatar
young19918
Icon for Cirrus rankCirrus
Mar 15, 2024

About F5 ASM slow_transaction_timeout

Hello experts,   I've recently been looking into ASM. https://my.f5.com/manage/s/article/K14199 I have a question about "slow_transaction_timeout" Does slow_transaction_timeout mean an reque...
application delivery
  • zamroni777's avatar
    zamroni777
    Mar 15, 2024

    it should be client side (client <-> ltm).

    bigip only forwards complete requests to backend servers.

F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Mar 18, 2024

Yes right it is

client side (client <-> ltm).

When a client issues many such requests, ASM is able to prevent a denial of service (DoS) condition by detecting a slow transactions attack.

This is defined by the slow_transaction_timeout and max_slow_transactions internal variables.

 

Server Receives many 𝐒𝐥𝐨𝐰 𝐓𝐫𝐚𝐧𝐬𝐚𝐜𝐭𝐢𝐨𝐧𝐬 over the time and forced to keep many Connections and Sessions in "𝐎𝐩𝐞𝐧𝐞𝐝" state.

 

Mitigating an attack using BIG-IP ASM

BIG-IP ASM 11.0.0 and later includes protection against slow transaction attacks such as Slow POST, by default. Depending on the attack and environment, you may only need to tune the parameters controlling this protection and ensure that the mechanisms are working by checking the log files as detailed in the following procedure.

Note: Slow transactions dropped in this way receive no response from the server at all, and the connection is terminated without response. This is contrary to the iRule solution, which serves an error page to the client, and contrary to other BIG-IP ASM blocking mechanisms which serve the BIG-IP ASM blocking page in response.

Impact of procedure: If you change the values of the max_slow_transactions or slow_transaction_timeout parameters, you must restart BIG-IP ASM for the new values to take effect. For this reason, you should make these changes during a maintenance window, or you should perform the changes on a standby unit and fail over traffic after the restart has completed.

  1. Log in to the Configuration utility.
  2. Go to Security Options > Application Security > Advanced Configuration > System Variables.
  3. For Search by Parameter Name, enter slow and select Go.
  4. Configure the values for the max_slow_transactions and slow_transaction_timeout parameters appropriately for the target environment.
  5. Restart the BIG-IP ASM service by entering the following command:tmsh restart /sys service asm
  6. Inspect the /var/log/asm log file for entries like the following:err dcc[8317]: 01310001:3: event code D6983 Slow transactions attack detected - account id: (18), number of dropped slow transactions: (350)

HTH

🙏