For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Song_chi_woon_2's avatar
Song_chi_woon_2
Icon for Nimbostratus rankNimbostratus
Nov 01, 2006

how to set iRule against DoS attack

Hi   I know the attack defense method such as CODred or Nimda in BIGIP.bigip system is able to filter out the cored,nimda by using to send the http requests   I want to know how to prevent to th...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 01, 2006
Hi grimish,

Nice addition. I think using a string function instead of a regex would be more efficient. Here are a couple of examples:


when HTTP_REQUEST {
   set uri [string tolower [HTTP::uri]]
   if { ($uri contains "default.ida") 
   or ($uri contains "cmd.exe") 
   or ($uri contains "root.exe") 
   or ($uri contains "admin.dll") }{
      log local0. "client: [IP::client_addr], requested [HTTP::host]$uri and was discarded"
      discard
   } else {pool livepool}
}

Or with a host header restriction and the URI filtering:


when HTTP_REQUEST {
   set uri [string tolower [HTTP::uri]]
   if { not ( [string tolower [HTTP::header Host]] contains "mysite.com" ) or (
      ($uri contains "default.ida") 
      or ($uri contains "cmd.exe") 
      or ($uri contains "root.exe") 
      or ($uri contains "admin.dll")) }{
      log local0. "client: [IP::client_addr], requested [HTTP::host]$uri and was discarded"
      discard
   } else {pool livepool}
}

To test this, you can make a request to the VIP with one of these rules configured. The browser should hang as the request is ignored (discarded), until a timeout is reached. The /var/log/ltm file should also log the client IP address and host/URI.

Aaron