Forum Discussion
SeanW_82915
Nimbostratus
NimbostratusAnti-DDOS script, feedback requested
I've experienced a couple of DDOS attacks on web sites where the zombies request the same page over and over again which brings the website down. All the headers are spot on, they use DNS so changing the IP of the site doesn't work, the only thing I could find was to get the application serve everyone a 302 redirect and move the content there. The zombies wouldn't take the redirect but real people did.
Now that I'm using a real load balancer, I figured this could be done in a similar fashion with cookies and redirects. Since it's my first iRules script, I'm asking if anyone sees any problems with what I'm doing. It works for me when I'm testing...
Note I don't plan on running this all the time, only applying it if the site gets attacked.
Thanks,
Sean
Forces viewers to present a cookie to view the site
If the cookie isn't there, redirect them to a page to get the cookie
The theory is the bots aren't smart enough to
1. follow a redirect
2. manage cookies
when HTTP_REQUEST {
set uri [HTTP::uri]
if { $uri starts_with "/botcheck/" } {
strip off the rest of the url
set uri [string range $uri 9 end]
set cookie "BOTCHECK=hello; path=/"
HTTP::respond 302 "Location" $uri Set-Cookie $cookie
return
}
if { [ HTTP::cookie exists "BOTCHECK"] == 0} {
HTTP::respond 302 "Location" "/botcheck$uri"
}
}
hoolioCirrostratus
Hi Sean,
That looks good. You might consider resetting (reject) or dropping (drop) packets on the connection if a client makes a request to to /botcheck without a cookie instead of sending another redirect. Also, you could change the botcheck references to something else to make it less obvious what you're doing with the redirect and cookie.
Aaron