For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Stamm_183's avatar
Chris_Stamm_183
Icon for Nimbostratus rankNimbostratus
Aug 10, 2005

RPC load balancing among multiple tiers using iRules, pools and forwarding

Scenario: We have an app that uses... TCP port 7496 for one piece. TCP port 3372 for another piece. TCP port 135 for DTC that will renegotiate a high port in this case we set the RPC rang...
application delivery
dev
devops
iRules
rapmaster_c_127's avatar
rapmaster_c_127
Historic F5 Account
Aug 12, 2005
The issue is one of making the attack harder to perpetrate more than anything else. When any script-kiddie with a connection to the internet can send out an arbitrary SYN packet spoofing its source IP address, we could potentially be evaluating a rule on every last one of those SYNs, with no way of telling whether the SYN is representative of a real client. All someone would have to do is connect to the internet, and spew out hundreds and thousands of SYNs per second at us. If each one of those bare SYNs caused us to have to evaluate a rule, this would be an easy DOS.

 

 

By deferring rule evaluation until the 3-way handshake completes, we at least know that the SYN is not spoofed, since the attacker needs to be able to mirror (our sequence number + 1) back in its ACK, and this makes the attack somewhat more difficult, in that the attacker cannot perpetrate a blind-attack against us.