For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jose_Santiago_O's avatar
Jose_Santiago_O
Icon for Nimbostratus rankNimbostratus
Jun 22, 2009

Apache DOS and LTMs.

Hello,

 

Past week, the ISC team published some articles saying that there was some risk of DOS in Apache Servers:

 

 

http://isc.sans.org/diary.html?storyid=6601

 

http://isc.sans.org/diary.html?storyid=6613

 

 

In today's post the are stating:

 

"First of all, those running some load balancers or reverse proxies in front of their Apache installations should check if they are really vulnerable or not – it's possible that the proxy is not affected by this vulnerability."

 

 

So, the question is, Are my apache servers running (2.X) behind the big-ips affected of this issue?

 

 

Can anyone elaborate on this?

 

 

Regards,

 

Jose Santiago Oyervides.
config
design

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 23, 2009
    Hi,

     

     

    Ben stated in this post (Click here) that he tested the client app against an ASM enabled virtual server and found ASM buffered the full request headers and payload before sending the request to the pool member.

     

     

    Without ASM to buffer the request, I think it would depend on your VIP type and the type of attack. For an HTTP VIP, LTM by default buffers the HTTP headers before opening a server side connection. So if the malicious client was sending the headers very slowly, LTM should handle the attack.

     

     

    I'm pretty sure that once the headers have been parsed, LTM sends data to the pool as it receives it. So you would potentially still be vulnerable to an attacker sending payloads very slowly. I suppose you could collect the payloads using HTTP::collect to handle the attack. LTM wouldn't suffer resource issues from collecting the request payload for the numbers of requests that have been described in the vulnerability. But collecting every request payload would add load to LTM and potentially add some latency to all client sessions.

     

     

    Anyone else have ideas for this?

     

     

    Aaron
  • hwidjaja_37598's avatar
    hwidjaja_37598
    Icon for Altostratus rankAltostratus
    Jun 23, 2009
    I think your apache servers behind BIG-IP are not affected. BIG-IP has Adaptive Reaping to protect DOS attack. Even though slowloris is not a TCP DoS but the equivalent of a SYN flood over HTTP, I believe this reaper will protect BIG-IP and the server behind from this attack. When BIG-IP starts running out of resource, it will begin closing idle connection.

     

     

    Like what Aaron has mentioned earlier, using http vip would minimize the server impact.

     

     

    References:

     

     

    SOL4611: Overview of Adaptive Reaping (Click here):

     

    The adaptive reapers are a DoS prevention measure and a function of available memory. As memory usage on the unit increases and additional SYNs are received, the BIG-IP system reacts to the excessive memory usage by closing idle connections

     

     

    SOL7301: Protecting the BIG-IP LTM against denial of service attacks (Click here):

     

    The BIG-IP system to remove connections from its connection table when the connection load surpasses a defined percentage of memory usage.