For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

1qaz's avatar
1qaz
Icon for Nimbostratus rankNimbostratus
Apr 03, 2022

security vulnerability in security scanning: slow HTTP attacks

Hi, My company's F5 device has a security vulnerability in security scanning: slow HTTP attacks,I found that there is an irules on the askf5 website for Mitigating Slowloris DoS attacks(https://suppo...
security
Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Apr 27, 2022

Hello 1qaz.

I've not tested your iRule in my environment, but if you analyze the code, you will see that your logic approach is equivalent to the F5 proposal, so legitimate users over very slow links will have the same problem as with the other iRule.

This is the F5 iRule explained.

when CLIENT_ACCEPTED {
	# Set variable 'rtimer' to zero
	set rtimer 0
	# Run this next code after 1 second
	after 1000 {
		# if the connection is still zero (HTTP_REQUEST event didn't occur), drop the connection
		if { not $rtimer} {
			drop
		}
	}
}

when HTTP_REQUEST {
	# This query is legitime, so change 'rtimer' to one
	set rtimer 1
}