Tourniquet iRule to detect, BLOCK, log, and count CVE-2016-9244 "Ticketbleed" attacks
Problem this snippet solves:
This iApp installs the Tourniquet iRule
which will detect, block, log, and count attempts to exploit CVE-2016-9244 "Ticketbleed". Attach the Tourniquet iRule to any TCP+TLS or UDP+DTLS virtual server with a Client SSL Profile. (The iRule works on BIG-IP TMOS v11.0 and above.)
The Tourniquet iRule logs the source IP address and geolocation of each possible attack and counts attacks (per-virtual-server) using iStats.
The Tourniquet iRule is for anyone (such as a honeypot operator) who wants to log the sources of Ticketbleed attacks and for BIG-IP users who want to utilize RFC-5077 TLS Session Tickets while still running vulnerable (older) versions of BIG-IP TMOS (by blocking Ticketbleed attacks, the Tourniquet iRule makes it safe to enable Session Tickets).
NOTE: The best way to avoid the CVE-2016-9244 Ticketbleed vulnerability is to upgrade BIG-IP TMOS to a non-vulnerable version. See F5 Solution Note K05121675. The second-best way (imposing a modest performance cost) is to disable Session Tickets in your Client SSL Profile(s).
The performance cost of the Tourniquet iRule is very small unless an attacker tries to flood your BIG-IP with Ticketbleed attacks. In that case, the Tourniquet iRule will at least help you track the attacker down.
The Tourniquet iRule blocks Ticketbleed attacks on vulnerable versions of BIG-IP TMOS. It also has an option to log Ticketbleed attacks then allow them to proceed, if you really want to do that.
How to use this snippet:
file (below). Extract (unzip) the
file. In the BIG-IP Management GUI, navigate to iApps / Templates. Click Import, browse to select the template file, then click Upload. Navigate to iApps / Application Services. Click Create, then enter a unique name (for example,
) and select the template
. Click Finished.
The Tourniquet iRule
will be created (in an Application folder, for example as
). You may then navigate to Local Traffic / Virtual Servers, edit your virtual servers that have Client SSL Profiles, and add the Tourniquet iRule to each virtual server in the iRules section of the Resources tab.
(If you really want to allow Ticketbleed attacks for some reason (making your BIG-IP insecure!), you can change the relevant setting in the iApp then click Finished to update the iRule.)