Forum Discussion
TTrautman_94620
Nimbostratus
NimbostratusSlowloris
Does any know how ASM would handle this recently posted Denial of Service attack:
http://ha.ckers.org/slowloris/
The concept is the client hogs sockets by slowly trickling http headers to keep the sockets from closing. Over time, it consumes enough sockets & resources to bring the server down...especially those that have threading.
Just curious how the ASM would react under these circumstances.
17 Replies
Wong_Onn_Chee_6Thanks for the reply, Aaron.
Now, I know what we can tell the potential ASM customer. :-)
Lukas_54405Hi
we have same issue with slowloris attack and want to resolve it by using HTTP profile on our LTMs. But what about HTTPS requests? I've heard that we will need to add SSL certificates together with HTTP profile otherwise HTTPS requests will be dropped. Is it true?
And what about non 80 or 443 ports? Are they safe against DoS attack?
Thank you for your response
Mike_MaherLukas,
I will answer you last question regarding non 80 or 443 ports. No they are not safe against DoS, I can run a DoS attack against any port. 80 and 443 are the standard ports for HTTP and HTTPS but I can run those protocols over any port I want to. I would not get caught up in the port number but rather what is running behind it.
Mike- Lukas,
To defend against slowloris you only need to have an http profile attached to your virtual. This will cause BIG-IP to hold the connection until the headers are complete before sending on the servers: since Slowloris never completes the headers, the Slowloris connection will never hit the server.
We haven't seen any instances of Slowloris over SSL yet. Please let us know if you see that happening. If you do see a Slowloris/SSL attack, the defense is the same -- just make sure that your HTTPS virtual has an http profile (it probably already does).
David - Lukas_54405Mike, thanks for advise. Probably will need to add HTTP profile to all VIPs.
David
for now we are not using HTTP profile, don't know why. Will add it and test with the server group if it's working for all services.
Just one more question about HTTPS traffic? I've heard that HTTP profile will drop the https traffic without SSL certificate. Is it true or I can use HTTP profile also under https VIPs without any issues? - Lukas,
Are you load-balancing a mix of HTTP and HTTPS traffic through your virtual? Typically one would have HTTP traffic going to one virtual (80 for example) and HTTPS traffic to another (on port 443 for example). Both would still use the http profile. However, if you are indeed handling a mix of traffic through a single virtual then you can still accomplish what you want (slowloris protection) but it will require some iRule action (to turn off the https profile for connections that don't need it).
Hope this helps. - Lukas_54405David,
I am load-balancing mix of http and https traffic but not through the one virtual. We are using many virtuals which are load-balancing just through the one port (e.g. 80,443,etc.).
I've been told that I can use http profile for each HTTP(80) virtual and that HTTPS(443) virtuals should not be running without SSL certificate. That's why I am asking if it's OK to use it also for HTTPS(443) virtuals as well as for HTTP/HTTPS virtuals running on "uncommon" ports?
