For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Angel_Martinez_'s avatar
Angel_Martinez_
Icon for Nimbostratus rankNimbostratus
Nov 17, 2009

Persistence Flood

Hi

 

 

I would like if the BigIP LTM has any prevention system against a persistence table flood...

 

 

If we're playing with iRules adding persistence based on Set-Cookie I guess we could be in troubles if a bad user is asking for a new session doing a flood attack...

 

 

In my case:

 

 

when HTTP_RESPONSE {

 

if { [HTTP::header exists Set-Cookie] } {

 

persist add uie [HTTP::cookie "JSID"] 300

 

}

 

}

 

 

So the application gives us always a cookie if you ask for:

 

 

 

GET /login HTTP/1.1

 

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*

 

Accept-Language: es

 

Accept-Encoding: gzip, deflate

 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

 

Host: oi2.cm.es

 

Connection: Keep-Alive

 

 

HTTP/1.0 200 OK

 

Date: Tue, 17 Nov 2009 09:34:59 GMT

 

Server: Apache

 

Cache-Control: no-cache

 

Cache-Control: no-store

 

Cache-Control: no-cache="set-cookie"

 

Pragma: No-cache

 

Expires: Wed, 31 Dec 1969 23:59:59 GMT

 

Set-Cookie: JSID=TYyqLCnDTk5gJvYhjHGjlNsFGyGqTmJ7vDj2pzDyT1RZKL6Nw3LZ!-124989947!2116557276; path=/

 

Content-Language: es

 

Connection: close

 

Content-Type: text/html; charset=UTF-8

 

 

I was wondering about give a really low persistence time at "persist uie add" like 5 seconds and when the rest of the traffic goes give a high persistence value...

 

 

something like this:

 

 

when HTTP_RESPONSE {

 

if { [HTTP::header exists Set-Cookie] } {

 

persist add uie [HTTP::cookie "JSID"] 5

 

}

 

}

 

 

 

when HTTP_REQUEST {

 

if { [active_members mypool] > "0" } {

 

if { [HTTP::cookie exists "JSID"] && ( [HTTP::cookie "JSID"] != "") } {

 

if { [persist lookup uie "[HTTP::cookie "JSID"] pool mypool"] != "" } {

 

persist uie [HTTP::cookie "JSID"] 3600

 

}

 

}

 

}

 

 

Any idea how to proctect the pesistence table ¿?

 

 

Thanks
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 17, 2009
    Hi Angel,

     

     

    That's novel and could work. But then what happens if the attacker made a request with the JSID cookie in addition to the first request?

     

     

    If you are concerned about such an attack, I think a better solution would be to use cookie insert persistence so that LTM doesn't have to track any sessions in its memory.

     

     

    Aaron
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2009
    Aaron is right on the money here. I use the same persistence for that very reason amongst other things.

     

     

    CB

     

  • Angel_Martinez_'s avatar
    Angel_Martinez_
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2009
    of course... it doesn't work ;o)

     

     

    I'll try using persistence with cookie insert, but the idea is to load balance with the "JSession" cookie... anyway is really interesting to know about the advantages of "cookie insert".

     

     

    I'll give you my labs feed backs.

     

     

    Thank you!!!