Forum Discussion
F5 LTM/ASM , I-rule to ignore query string to prevent DDOS attack.
Hello guys,
My environment : F5 ltm, ASM learning mode.
Webapp: Public facing site with many pages with few search pages and filtering pages.
I see many people are hitting the site with unknow query string and trying to flood the site.
Is there a way to remove all the query string parameters and redirect to the url with out query string like url redirect module.
I want to exclude some pages that allow content filtering like using query string .
Do we want to use Irule to achieve this or ASM/LTM module has a better solution. I rules sure I can achieve this, but not sure if this is the best solutions.
Frequently someone/bot/crawler is trying to hit to make the CPU run very high like a DDOS kind of attack.
Any pointer is appreciated.
Regards
Janu
Hi Juna,
You could use this irule:when HTTP_REQUEST { if {!([string tolower [HTTP::query]] contains "utm" || [string tolower [HTTP::query]] contains "gclid")} { HTTP::respond 302 Location "http://www.domain.org" }
- Brandon_Employee
Hello sunny123!
KeesvandenBos has provided a viable iRule solution, for a specific attack but to continue answering the second part; yes! Advanced WAF has denial of service capabilities specifically to mitigate these types of attacks.
Here is a great video overview of how behavioral DoS can react to stress on your backend systems and mitigate aggressive requests.
https://www.youtube.com/watch?v=uLhJNoEMsqA
There's an entire implementations guide "Preventing DoS Attacks on Applications"
And well, because a lot of these types of requests are automated, F5's bot defense can help you identify and mitgate automated requests.
HTH
-Brandon
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com