Forum Discussion
AltostratusAPM Session creation URI for Logon page
What specific attack scenario are you worried about? This is the typical connection setup:
1- User access / (or whatever) with no cookie.
APM creates session, 302s to /my.policy.
2- User access /my.policy.
APM runs access policy, then 302 user to / (or whatever landing uri was).
3- User access landing URI, webtop or whatever.
If thing 1 happens but thing 2 doesn't, there's a separate timer that's shorter than the idle or session complete timeout to handle this DoS condition.
There is a setting for "max in progress sessions per client IP" that also mitigates some of this attack surface.
If you want something else custom, you can use HTTP_REQUEST irule event on the virtual after calling this in CLIENT_ACCEPTED:
https://devcentral.f5.com/wiki/iRules.ACCESS__restrict_irule_events.ashx
AltostratusHi Lucas,
I saw SOL12300 (https://support.f5.com/kb/en-us/solutions/public/12000/300/sol12300.html) and I thought the "access policy timeout" was the apm session lifetime for a request without an MRHSession cookie. If I trigger an HTTP request using curl on a APM protected portal with logon page ex:" hxxps://apmlogon.page.com/xxx" I will get an APM session regardless of the URI requested and APM will generate a session in its session table with a 300 seconds lifetime, is it correct ? So, the access policy timeout is the timeout applied for each new HTTP request without an existing session? Just to clarify.
I am asking this because I want to control the number of APM sessions generated by source IP and I suppose that what you mentioned is the right solution.
Thanks,
Matteo
