Forum Discussion
Shay_Ben-David1
Nimbostratus
NimbostratusSimple iRule help me from DDOS attack
Hi everyone,
in the last few days we had DDOS attack on our webs, this DDOS was not bandwidth attack, actually it was legitimate request from our site like: http://www.mysite.com/ , but it was from many ip and proxy and very intensive and multiple requests to the server farm, eventually all my servers go to 100% cpu with more than 8K connection to the IIS. after research the attack i found that most of the attack came from Russia and was directed to the homepage of the site, here is simple iRule that save the day to us:
when HTTP_REQUEST {
if { [HTTP::uri] equals "/" }{
log "uri: [HTTP::uri] "
HTTP::redirect "http://anotherserverpool"
}
elseif { [HTTP::uri] equals "/homepage.asp" } {
log "uri: [HTTP::uri] "
HTTP::redirect "http://anotherserverpool"
}
elseif {[string tolower [HTTP::header "Accept-Language"]] contains "ru"} {
HTTP::redirect "http://nullsite"
}
else {
pool mypool
}
}
this iRule let our paying costumers that uses bookmarks and specifies uri's on the site keep on working, and most of the DDOS attack was prevented. sure this is not perfect but in terms of survive this was the best way for us.
another impotent thing, usually our cpu utilization is around 40%, with the iRule we were at around 70%-80% on our 6400.
Maybe it can help other
Good luck.
comments will be welcome !
Shay_Ben-David1Sure thing,
please add it Colin, you wouldn't believe how much money this iRule saved us, and again i remember you were mention in one of your session in Israel that costumers looks for iRule solution, well this is the exact case.
thanks
we are working with F5 since year 2000, and we know why !
Shay
:D- Done deal: Click here. Feel free to edit the page and update the description to add more info, if you feel so inclined.
Thanks again!
Colin