Forum Discussion

titankapo_33333's avatar
titankapo_33333
Icon for Nimbostratus rankNimbostratus
Sep 14, 2017

Block a DoS attack (TCP flag and/or UDP flood) with an iRule

Dear community,

 

I need to set up a new irule for basically mitigate a DoS attack. Specifically should work in case of TCP Flag Attacks ( SYN, ACK, FIN and RST) . Could someone help me with this? Also should have to work under an UDP flood attack. Im starting from scratch so any help on this would be very welcomed. Thanks folks.

 

application delivery
iRules
LTM
security
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 15, 2017

    A lot of what you are asking for is already baked into the device.

     

    See: K14813: Detecting and mitigating DoS/DDoS attacks (11.4.x - 12.x)

     

  • titankapo_33333's avatar
    titankapo_33333
    Icon for Nimbostratus rankNimbostratus
    Sep 18, 2017

    Thanks Michael. I went through that article but still need some kind of guidelines ( specially for a better control) for building out a new irule in case of detecting suspicious activities or even ddos attacks. how can I set up TCP for defending against Flag Attacks? Many thanks again for helping out.

     

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Sep 22, 2017

    I don't think you can inspect TCP flags using irules, so this approach seems unviable. You should look at using one of the standard modules/features built into the product that accomplish this objective as Mr Yates has already suggested.

     

  • Faruk_AYDIN's avatar
    Faruk_AYDIN
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2017

    Hi Guy,

    You can have a look at TCP/IP flags and options, If you use the packet filters (
    Network > Packet Filters
    ). Event name is 
    FLOW_INIT
    . Link is here. Then use DATAGRAM commands to access the flags and options. Its link is here