Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Dec 06, 2023

Custom dynamic signature

Hello,

We have a problem with a few clients that, from time to time, spamming us with specific parameter in the body. 
For example, regular traffic is 10 TPS of parameter ABC, and sometimes those requests could be X100 more.
I'm looking for a mechanism to mitigate those problematic requests when they occur.
Is it possible to use the BADoS tool with a dynamic custom signature option?
When some of the clients are spamming us by IP with parameter Y in the body, enforce the dynamic signature (automatic or manually)
This should allow me to block only the spam amount of the requests with this parameter from a specific IP and to not affect other clients' legitimate requests.

But I can see only an option for 'Headers' in dynamic custom signature configurations.
Is there an option to check the body?
Is there any other solution that can match my problem? iRule?
I appreciate your help!

  • Hi Jeffrey_Granier, I Think iRule is not the best option because it will require decrypting all requests and searching in the body for this parameter; it could load the device.
    Also, the iRule will work for all the clients and block false requests from valid users (who are not spamming)
    I thought it was possible to do it by BADoS.
    Or I wrong?

    • Jeffrey_Granier's avatar
      Jeffrey_Granier
      Icon for Employee rankEmployee

      HI Max,

      Yes using BADoS should be your first line of defense, the abnormal traffic pattern that deviates from the baseline should generate the dynamic signature. Do you have any that show up , could you post a snippet?  Irules would be last option if this cannot be configured using the detected dynamic signatures.

  • Hi, Jeffrey_Granier. I'll do the test of the BADoS today and will update you.
    For how long is it recommended to learn the traffic before the attack (for the baseline), and for how long do I need to run the attack (Spam of this parameter)
    Also, should it be blocked by the source IP and not affect the other clients that sent that parameter too, right?

  • Jeffrey_Granier I've tried to reproduce it today but without success.
    I send for about half hour from one client IP requests with this parameter - about 4TPS
    and after that, spam with another client IP for about 30-40 TPS for another half hour with this parameter
    BADoS has not recognized this as an anomaly; I'm not sure why...
    From the documentation, it should detect anomalies of high volume unpredictable traffic and generate a signature tor other mitigations (depending on the conditions)