Forum Discussion

jkrumb_39474's avatar
Icon for Nimbostratus rankNimbostratus
Aug 03, 2011

SSL Renegotiation DOS iRule for BIG-IP 9.4.5 Build 1086.1 Hotfix HF2




I am just trying to implement the following iRule on an BIG-IP 9.4.5 Build 1086.1 Hotfix HF2. I know that this iRule is designed to run on V10.x LTMs.



Is there a way to rewrite the rule that I may run on V9.4.5 as well?



when RULE_INIT {


set static::maxquery 5



set static::mseconds 60000







set ssl_hs_reqs 0







incr ssl_hs_reqs



after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }



if { $ssl_hs_reqs > $static::maxquery } {



after 5000



log "Handshake attack detected, dropping [IP::client_addr]:[TCP::client_port]"










The iRule was originally posted at to prevent SSL renegotiation DOS attacks.



BIG-IP V9.4.5 currently doesn't know the TCL command _after_, so the iRule may not be run..



Thank you in advance for any feedback on this



Kind Regards






1 Reply

  • Hello Joachim,



    i was just wondering if you figured out a solution for your problem until now. If yes, it would be nice if you could post it.



    As far as i understood you might have three possible choices.


    1) Upgrade to Version 10.x or higher. So the after command could be used.


    2) Just use the iRule without the after command and therefore drop the handshake directly.


    3) Use an extension like the one below with all the consequences.



    when HTTP_REQUEST {


    set newtime [expr ]clock -miliseconds[ + 50]


    while {[clock -milliseconds] >= $newtime } {






    >>>possible consequences: It leads TMM into a holding pattern until it completes, without processing any other traffic in the mean time.



    Maybe there is someone who knows a better choice than i do.



    Thanks so far.



    Best regards