Irule for DDOs Attacks!

Question

Hello,&nbsp;
I´m working with a client that is getting DD0s attacks from random IPs. We have some limitations with the Hardware as we only have an ASA and the F5 but no additional security modules, and no IPs for the FW. In the ASA I have limited the embryonic connections using TCP Intercept. &nbsp;
In the F5 i would like to write an irule to deny incoming connections containing the following string: UNION%20SELECT%20&nbsp;
During the attacks we were able to identify that all the IPs contain UNION%20SELECT%20 in the url. So I´m wondering if this could work:&nbsp;
/usr/libexec/bigpipe rule DDOs '{&nbsp;
when HTTP_REQUEST {&nbsp;
  if { [string tolower [HTTP::uri]] contains "UNION%20SELECT%20" } {&nbsp;
    log local0. "Rejecting [HTTP::uri] request"&nbsp;
    reject&nbsp;
  }&nbsp;
} &nbsp;
}'&nbsp;
1- I need this apply for all the VIPs, for all the incoming connections.
2. I know that we should have Security Modules or an IPs or NextGen Firewall, but unfortunatly we have limitations.
3. Any other suggestion is welcome, I really appreciate your help!&nbsp;

rico · Answer

Your iRule should work except for the fact that you are checking for an uppercase string in a lowercase string.
if { [string tolower [HTTP::uri]] contains "UNION%20SELECT%20" } {

Should be
if { [string tolower [HTTP::uri]] contains "union%20select%20" } {

Here is some additional information on how to help mitigate DDoS attacks with the LTM module.
F5 also has their Silverline product which could help. I figured I would mention it though I understand that the client may have restrictions.

dylan_375544 · Answer

The one issue I see is that you have "UNION%20SELECT%20" as what you are searching for.&nbsp;
But you also have "stringtolower" which would change the URI to all lowercase, and therefore "UNION%20SELECT%20" would never actually show up since it is in CAPS.&nbsp;
Change that to "union%20select%20"&nbsp;
Hope that helps! If it does please up-vote and select this answer, it'd be greatly appreciated!&nbsp;
-Dylan&nbsp;

dylan_375544 · Answer

I got beat to the punch! :D&nbsp;

rico · Answer

Get out of here Dylan. This is my turf!&nbsp;

dylan_375544 · Answer

Your answer is more thorough. ;)&nbsp;

Forum Discussion

Irule for DDOs Attacks!

Recent Discussions

F5 DNS Generic Host

How do I create a traffic log for two different route domains?

Http / https health monitor issue

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

Related Content

DDoS Attack Trends for 2021

Scrubbing away DDoS attacks

Exploit PowerShell, Ransomware Attack Report, Active Cyber Defense, Attack to GPS

Real Attack Stories: DDoS Against Email Provider

Real Attack Stories: Online Payment Center DDoS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS