Forum Discussion

Klaus_Gerthein1's avatar
Klaus_Gerthein1
Icon for Nimbostratus rankNimbostratus
Oct 31, 2011

THC SSL DOS , iRule to limit the connection from one client ip in 60 second interval

Hello,
 i read the articel "F5 Friday Mitigating the THC SSL Dos Attack".
 I'm running version 10.2.2 + Hotfix-3, so all my ssl virtual server
 will drop SSL renegotiation requests.
 So I had a look at the side http://www.thc.org/thc-ssl-dos/ and found this comment:------< schnipp >-----2011-OCT-25 PRIVATE RELEASE:
People are asking us about the private release that works against servers
that do not support SSL renegotiation. We will not release it.
Meanwhile the good news is that openssl can be used to perform the same attack
It's not as elegant as the private thc-ssl-dos but works quite well indeed.
2 simple commands in bash:
-----BASH SCRIPT BEGIN-----
thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl s_client -connect 127.0.0.1:443 2>/dev/null; done }
for x in `seq 1 100`; do thc-ssl-dosit & done
-----BASH SCRIPT END-------
------< schnapp >-----
 Is there an iRule available to limit the connection from one client ip-address
 in 60 second interval, for example 10 tcp connections per 60 seconds?
 The connection information about the client ip address must shared among all tmm process.
 Will an iRule solution work with systems running more then one tmm process,
 for example a BIG-IP 3900 with 4 tmm processes?
 If the iRule is added to three virtual server, will the stored client ip-address information
 be stored for each virtual server or will all three virtual server share the client
 ip-address information?
Kind regards
Klaus
application delivery
dev
devops
iRules
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Oct 31, 2011
    Hi Klaus,

     

     

    Take a look at this article:

     

    iRule::ology; Connection Limiting Take 2

     

     

    Question: Is there an iRule available to limit the connection from one client ip-address in 60 second interval, for example 10 tcp connections per 60 seconds?

     

    Answer: Yes. The iRule in the article above can do it using the Table Command.

     

     

    Question: The connection information about the client ip address must shared among all tmm process. Will an iRule solution work with systems running more then one tmm process,

     

    for example a BIG-IP 3900 with 4 tmm processes?

     

    Answer: Yes. The Table is not only available across TMM's, but across BIP-IP's in an HA Pair. You can read more about it here The Table Command

     

     

    Question: If the iRule is added to three virtual server, will the stored client ip-address information be stored for each virtual server or will all three virtual server share the client

     

    ip-address information?

     

    Answer: In the article example, it would holistic to the BIG-IP because of the variable name. If you wanted it to be specific per Virtual Server you could create different instances of the iRule and change the variable names that are stored in the table.

     

     

    Hope this helps.

     

  • Klaus_Gerthein1's avatar
    Klaus_Gerthein1
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2011
    Hello Michael,

     

     

    great article,this solves my problem.

     

    Thanks for your help.

     

     

    Kind regards

     

    Klaus