Forum Discussion

Jason_Keating's avatar
Jason_Keating
Icon for Altostratus rankAltostratus
Nov 25, 2012

SSL_renegotiation_DOS_mitigation

Hi,

 

 

I've been looking at this https://devcentral.f5.com/wiki/iRules.Print.aspx?Page=iRules.SSL_renegotiation_DOS_mitigation

 

I am confused by the iRule, where and when is hs_count initialised ?

 

Trying the rule on my 11.2.1 807 box I get the following:

 

Nov 26 16:41:34 tmm err tmm[10885]: 01220001:3: TCL error: /b2c/vuln_ssl_renegotiation_dos - can't read "hs_count": no such variable (reading value of variable to increment) invoked from within "incr hs_count"

 

Nov 26 16:41:34 tmm err tmm[10885]: 01220001:3: TCL error: /b2c/vuln_ssl_renegotiation_dos - can't read "hs_count": no such variable while executing "for { set i 1 } { $i <= $hs_count } { incr i } { table delete -subtable "hs_rate:$flow" "[TCP::client_port]:$i" }"

 

Did incr set the variable if null in 10.x ?

 

Anyone got any ideas please ?

 

 

Thanks

 

J

 

application delivery
dev
devops
iRules

4 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 25, 2012
    i got the same error on both v10 and v11.

    i think hs_count should be initialized in CLIENT_ACCEPTED. 

     11.2.1

[root@ve11a:Active:Changes Pending] config  tmsh show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.2.1
  Build    797.0
  Edition  Final
  Date     Thu Sep 20 09:35:47 PDT 2012

[root@ve11a:Active:Changes Pending] config  tail -f /var/log/ltm
Nov 26 13:36:08 tmm err tmm[6316]: 01220001:3: TCL error: /Common/myrule  - can't read "hs_count": no such variable     (reading value of variable to increment)     invoked from within "incr hs_count"
Nov 26 13:36:08 tmm err tmm[6316]: 01220001:3: TCL error: /Common/myrule  - can't read "hs_count": no such variable     while executing "for { set i 1 } { $i <= $hs_count } { incr i } {               table delete -subtable "hs_rate:$flow" "[TCP::client_port]:$i"         }"

 10.2.4

[root@ve10:Active] config  b version|grep -iA 1 version
BIG-IP Version 10.2.4 655.0
Hotfix HF4 Edition

[root@ve10:Active] config  tail -f /var/log/ltm
Nov 26 13:41:59 local/tmm err tmm[7926]: 01220001:3: TCL error: myrule  - can't read "hs_count": no such variable     (reading value of variable to increment)     invoked from within "incr hs_count"
Nov 26 13:41:59 local/tmm err tmm[7926]: 01220001:3: TCL error: myrule  - can't read "hs_count": no such variable     while executing "for { set i 1 } { $i <= $hs_count } { incr i } {     table delete -subtable "hs_rate:$flow" "[TCP::client_port]:$i"   }"
  • Jnon's avatar
    Jnon
    Icon for Nimbostratus rankNimbostratus
    Nov 25, 2012

    It is my understanding you don't need an irule for ssl renegotiation but that you can disable it from the ssl profile

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 26, 2012
    Nice catch. I updated the Codeshare example to set hs_count to 0 in CLIENT_ACCEPTED.

     

     

    J, the reason you'd want to use this iRule is if you needed to support renegotiation (secure or insecure) but want to limit how many times a client can attempt to renegotiate the session ID to mitigate a DoS attack.

     

     

    Aaron
  • Jnon's avatar
    Jnon
    Icon for Nimbostratus rankNimbostratus
    Nov 26, 2012
    Good to know. I have a few virtual s that do support it so I've enabled it. I will look at adding the I rule to it. Thanks