For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MDPF5_152674's avatar
MDPF5_152674
Icon for Altostratus rankAltostratus
Jul 11, 2016

APM Session creation URI for Logon page

Hi Devcentral,

 

I would like to know if is it possible to restrict the APM session creation for APM Logon Page with a single HTTP URI. I noticed that if you create an access policy with a logon page, any HTTP request for any URI on the APM protected VS with logon page, will trigger an access policy session creation. As you know, we have a limited number of APM sessions and we have the default APM session of 300 seconds. I would like to create the APM session only when a specific URI is requested (ex. the URI /my.policy for logon pages) and after that, it would be perfect if I can apply session rate limiting for the specified path based on source IP (/my.policy) in order to avoid in DoS condition.

 

Thanks in advance,

 

Matteo

 

BIG-IP Access Policy Manager (APM)
LTM
security

2 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jul 11, 2016

    What specific attack scenario are you worried about? This is the typical connection setup:

    1- User access / (or whatever) with no cookie.
APM creates session, 302s to /my.policy.
2- User access /my.policy.
APM runs access policy, then 302 user to / (or whatever landing uri was).
3- User access landing URI, webtop or whatever.

    If thing 1 happens but thing 2 doesn't, there's a separate timer that's shorter than the idle or session complete timeout to handle this DoS condition.

    There is a setting for "max in progress sessions per client IP" that also mitigates some of this attack surface.

    If you want something else custom, you can use HTTP_REQUEST irule event on the virtual after calling this in CLIENT_ACCEPTED:

    https://devcentral.f5.com/wiki/iRules.ACCESS__restrict_irule_events.ashx
    • MDPF5_152674's avatar
      MDPF5_152674
      Icon for Altostratus rankAltostratus
      Jul 11, 2016

      Hi Lucas,

       

      I saw SOL12300 (https://support.f5.com/kb/en-us/solutions/public/12000/300/sol12300.html) and I thought the "access policy timeout" was the apm session lifetime for a request without an MRHSession cookie. If I trigger an HTTP request using curl on a APM protected portal with logon page ex:" hxxps://apmlogon.page.com/xxx" I will get an APM session regardless of the URI requested and APM will generate a session in its session table with a 300 seconds lifetime, is it correct ? So, the access policy timeout is the timeout applied for each new HTTP request without an existing session? Just to clarify.

       

      I am asking this because I want to control the number of APM sessions generated by source IP and I suppose that what you mentioned is the right solution.

       

      Thanks,

       

      Matteo