Forum Discussion
Angel_Martinez_
Nimbostratus
NimbostratusPersistence Flood
Hi
I would like if the BigIP LTM has any prevention system against a persistence table flood...
If we're playing with iRules adding persistence based on Set-Cookie I guess we could be in troubles if a bad user is asking for a new session doing a flood attack...
In my case:
when HTTP_RESPONSE {
if { [HTTP::header exists Set-Cookie] } {
persist add uie [HTTP::cookie "JSID"] 300
}
}
So the application gives us always a cookie if you ask for:
GET /login HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: es
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: oi2.cm.es
Connection: Keep-Alive
HTTP/1.0 200 OK
Date: Tue, 17 Nov 2009 09:34:59 GMT
Server: Apache
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-cache="set-cookie"
Pragma: No-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Set-Cookie: JSID=TYyqLCnDTk5gJvYhjHGjlNsFGyGqTmJ7vDj2pzDyT1RZKL6Nw3LZ!-124989947!2116557276; path=/
Content-Language: es
Connection: close
Content-Type: text/html; charset=UTF-8
I was wondering about give a really low persistence time at "persist uie add" like 5 seconds and when the rest of the traffic goes give a high persistence value...
something like this:
when HTTP_RESPONSE {
if { [HTTP::header exists Set-Cookie] } {
persist add uie [HTTP::cookie "JSID"] 5
}
}
when HTTP_REQUEST {
if { [active_members mypool] > "0" } {
if { [HTTP::cookie exists "JSID"] && ( [HTTP::cookie "JSID"] != "") } {
if { [persist lookup uie "[HTTP::cookie "JSID"] pool mypool"] != "" } {
persist uie [HTTP::cookie "JSID"] 3600
}
}
}
Any idea how to proctect the pesistence table ¿?
Thanks
hoolioCirrostratus
Hi Angel,
That's novel and could work. But then what happens if the attacker made a request with the JSID cookie in addition to the first request?
If you are concerned about such an attack, I think a better solution would be to use cookie insert persistence so that LTM doesn't have to track any sessions in its memory.
Aaron- The_BhattmanAaron is right on the money here. I use the same persistence for that very reason amongst other things.
CB 
Angel_Martinez_of course... it doesn't work ;o)
I'll try using persistence with cookie insert, but the idea is to load balance with the "JSession" cookie... anyway is really interesting to know about the advantages of "cookie insert".
I'll give you my labs feed backs.
Thank you!!!
