irule to mitigate HTTP de-sync attack

Question

Hi Experts, I'm here to seek some help in implementing irule that would search the http requests that contains both the headers 1. Transfer Encoding 2. Content-length and reset the connection for the these requests. This is to mitigate the HTTP de-sync attack on the F5 units which has the ASM security policy in transparent mode. I tried the below, but it didn't work. Request your help. when HTTP_REQUEST {
if { [class match [HTTP::header "Content-length"] &gt; 0 ] AND [HTTP::header "Transfer-encoding"] equals "chunked"} {
reset
}
}
I need to look at the HTTP requests which has the headers content-length &gt; 0 and with header transfer-encoding as chunked, drop this connection, allow the rest of the request to through.

ivan_chernenkii · Answer

Hello,&nbsp;Why you can not use standard "HTTP Desync Attack Attempt" attack signature for it?&nbsp;Thanks, Ivan

Forum Discussion

irule to mitigate HTTP de-sync attack

Recent Discussions

How to Renew F5 Device Certificate

How to export a list of paired external service providers from APM?

BIG-IP Edge Endpoint Inspection Failure pre-VPN

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

Cyber Security Attack Mitigations with BIG-IP features

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Mitigating OWASP Web Application Risk: SSRF Attack using F5 XC Platform

Exploit PowerShell, Ransomware Attack Report, Active Cyber Defense, Attack to GPS

Mitigating OWASP Web Application Risk: Broken Access attacks using F5 Distributed Cloud Platform

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS