Apache DOS and LTMs.

Question

Hello, 
&nbsp; Past week, the ISC team published some articles saying that there was some risk of DOS in Apache Servers: 
&nbsp;  
&nbsp; http://isc.sans.org/diary.html?storyid=6601 
&nbsp; http://isc.sans.org/diary.html?storyid=6613 
&nbsp;  
&nbsp; In today's post the are stating: 
&nbsp; "First of all, those running some load balancers or reverse proxies in front of their Apache installations should check if they are really vulnerable or not – it's possible that the proxy is not affected by this vulnerability." 
&nbsp;  
&nbsp; So, the question is, Are my apache servers running (2.X) behind the big-ips affected of this issue?  
&nbsp;  
&nbsp; Can anyone elaborate on this? 
&nbsp;  
&nbsp; Regards, 
&nbsp; Jose Santiago Oyervides.

hoolio · Answer

Hi, 
&nbsp;  
&nbsp; Ben stated in this post (Click here) that he tested the client app against an ASM enabled virtual server and found ASM buffered the full request headers and payload before sending the request to the pool member.   
&nbsp;  
&nbsp; Without ASM to buffer the request, I think it would depend on your VIP type and the type of attack.  For an HTTP VIP, LTM by default buffers the HTTP headers before opening a server side connection.  So if the malicious client was sending the headers very slowly, LTM should handle the attack. 
&nbsp;  
&nbsp; I'm pretty sure that once the headers have been parsed, LTM sends data to the pool as it receives it.  So you would potentially still be vulnerable to an attacker sending payloads very slowly.  I suppose you could collect the payloads using HTTP::collect to handle the attack.  LTM wouldn't suffer resource issues from collecting the request payload for the numbers of requests that have been described in the vulnerability.  But collecting every request payload would add load to LTM and potentially add some latency to all client sessions.   
&nbsp;  
&nbsp; Anyone else have ideas for this? 
&nbsp;  
&nbsp; Aaron

hwidjaja_37598 · Answer

I think your apache servers behind BIG-IP are not affected. BIG-IP has Adaptive Reaping to protect DOS attack. Even though slowloris is not a TCP DoS but the equivalent of a SYN flood over HTTP, I believe this reaper will protect BIG-IP and the server behind from this attack. When BIG-IP starts running out of resource, it will begin closing idle connection. 
&nbsp;  
&nbsp; Like what Aaron has mentioned earlier, using http vip would minimize the server impact. 
&nbsp;  
&nbsp; References: 
&nbsp;  
&nbsp; SOL4611: Overview of Adaptive Reaping (Click here): 
&nbsp; The adaptive reapers are a DoS prevention measure and a function of available memory. As memory usage on the unit increases and additional SYNs are received, the BIG-IP system reacts to the excessive memory usage by closing idle connections 
&nbsp;  
&nbsp; SOL7301: Protecting the BIG-IP LTM against denial of service attacks (Click here): 
&nbsp; The BIG-IP system to remove connections from its connection table when the connection load surpasses a defined percentage of memory usage. 
&nbsp;  
&nbsp;  &nbsp;

jose_santiago_o · Answer

Ok, Thanks everyone for your help! &nbsp;

jose_santiago_o · Answer

Ok, Thanks everyone for your help! &nbsp;

Forum Discussion

Apache DOS and LTMs.

Recent Discussions

Big IP DNS Failover

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

Related Content

Apache Airflow Unsafe API Endpoint

L7 DoS Protection with NGINX App Protect DoS

Doing mTLS Authentication per URL

F5 SIRT on the Apache Commons Configuration CVE-2022-33980?

Apache Log4j2 (CVE-2021-44228) mitigation iApp

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS