Forum Discussion

jkrumb_39474's avatar
jkrumb_39474
Icon for Nimbostratus rankNimbostratus
Aug 03, 2011

SSL Renegotiation DOS iRule for BIG-IP 9.4.5 Build 1086.1 Hotfix HF2

Hello,

 

 

I am just trying to implement the following iRule on an BIG-IP 9.4.5 Build 1086.1 Hotfix HF2. I know that this iRule is designed to run on V10.x LTMs.

 

 

Is there a way to rewrite the rule that I may run on V9.4.5 as well?

 

 

when RULE_INIT {

 

set static::maxquery 5

 

 

set static::mseconds 60000

 

}

 

 

when CLIENT_ACCEPTED {

 

set ssl_hs_reqs 0

 

}

 

 

when CLIENTSSL_HANDSHAKE {

 

incr ssl_hs_reqs

 

 

after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }

 

 

if { $ssl_hs_reqs > $static::maxquery } {

 

 

after 5000

 

 

log "Handshake attack detected, dropping [IP::client_addr]:[TCP::client_port]"

 

 

drop

 

}

 

}

 

 

The iRule was originally posted at http://devcentral.f5.com/weblogs/david/archive/2011/05/16/ssl-renegotiation-dos-irule-updates.aspx to prevent SSL renegotiation DOS attacks.

 

 

BIG-IP V9.4.5 currently doesn't know the TCL command _after_, so the iRule may not be run..

 

 

Thank you in advance for any feedback on this

 

 

Kind Regards

 

 

Joachim

 

 

1 Reply

  • Hello Joachim,

     

     

    i was just wondering if you figured out a solution for your problem until now. If yes, it would be nice if you could post it.

     

     

    As far as i understood you might have three possible choices.

     

    1) Upgrade to Version 10.x or higher. So the after command could be used.

     

    2) Just use the iRule without the after command and therefore drop the handshake directly.

     

    3) Use an extension like the one below with all the consequences.

     

     

    when HTTP_REQUEST {

     

    set newtime [expr ]clock -miliseconds[ + 50]

     

    while {[clock -milliseconds] >= $newtime } {

     

    }

     

    }

     

    >>>possible consequences: It leads TMM into a holding pattern until it completes, without processing any other traffic in the mean time.

     

     

    Maybe there is someone who knows a better choice than i do.

     

     

    Thanks so far.

     

     

    Best regards

     

    AMa