Forum Discussion
jkrumb_39474
Nimbostratus
NimbostratusSSL Renegotiation DOS iRule for BIG-IP 9.4.5 Build 1086.1 Hotfix HF2
Hello,
I am just trying to implement the following iRule on an BIG-IP 9.4.5 Build 1086.1 Hotfix HF2. I know that this iRule is designed to run on V10.x LTMs.
Is there a way to rewrite the rule that I may run on V9.4.5 as well?
when RULE_INIT {
set static::maxquery 5
set static::mseconds 60000
}
when CLIENT_ACCEPTED {
set ssl_hs_reqs 0
}
when CLIENTSSL_HANDSHAKE {
incr ssl_hs_reqs
after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }
if { $ssl_hs_reqs > $static::maxquery } {
after 5000
log "Handshake attack detected, dropping [IP::client_addr]:[TCP::client_port]"
drop
}
}
The iRule was originally posted at http://devcentral.f5.com/weblogs/david/archive/2011/05/16/ssl-renegotiation-dos-irule-updates.aspx to prevent SSL renegotiation DOS attacks.
BIG-IP V9.4.5 currently doesn't know the TCL command _after_, so the iRule may not be run..
Thank you in advance for any feedback on this
Kind Regards
Joachim
1 Reply
AMa_3342Hello Joachim,
i was just wondering if you figured out a solution for your problem until now. If yes, it would be nice if you could post it.
As far as i understood you might have three possible choices.
1) Upgrade to Version 10.x or higher. So the after command could be used.
2) Just use the iRule without the after command and therefore drop the handshake directly.
3) Use an extension like the one below with all the consequences.
when HTTP_REQUEST {
set newtime [expr ]clock -miliseconds[ + 50]
while {[clock -milliseconds] >= $newtime } {
}
}
>>>possible consequences: It leads TMM into a holding pattern until it completes, without processing any other traffic in the mean time.
Maybe there is someone who knows a better choice than i do.
Thanks so far.
Best regards
AMa
