For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jkrumb_39474's avatar
jkrumb_39474
Icon for Nimbostratus rankNimbostratus
Aug 03, 2011

SSL Renegotiation DOS iRule for BIG-IP 9.4.5 Build 1086.1 Hotfix HF2

Hello,     I am just trying to implement the following iRule on an BIG-IP 9.4.5 Build 1086.1 Hotfix HF2. I know that this iRule is designed to run on V10.x LTMs.     Is there a way to rewr...
application delivery
dev
devops
iRules
AMa_3342's avatar
AMa_3342
Icon for Nimbostratus rankNimbostratus
Jun 19, 2012
Hello Joachim,

 

 

i was just wondering if you figured out a solution for your problem until now. If yes, it would be nice if you could post it.

 

 

As far as i understood you might have three possible choices.

 

1) Upgrade to Version 10.x or higher. So the after command could be used.

 

2) Just use the iRule without the after command and therefore drop the handshake directly.

 

3) Use an extension like the one below with all the consequences.

 

 

when HTTP_REQUEST {

 

set newtime [expr ]clock -miliseconds[ + 50]

 

while {[clock -milliseconds] >= $newtime } {

 

}

 

}

 

>>>possible consequences: It leads TMM into a holding pattern until it completes, without processing any other traffic in the mean time.

 

 

Maybe there is someone who knows a better choice than i do.

 

 

Thanks so far.

 

 

Best regards

 

AMa