For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Mitigating Slow HTTP Post DDoS Attacks With iRules

This past week researchers demonstrated a new HTTP DDoS attack in which a slow POST request will result in leaving a connection open longer than necessary. The heart of the attack relies on sending a...
Published Nov 05, 2010
Version 1.0
adn
application delivery
BIG-IP
ddos
dev
devops
iRules
news
security
tech tip
George_Watkins_'s avatar
George_Watkins_
Historic F5 Account
Jul 28, 2011
Hi cweeklund,

 

 

Add a log statement before the TCP::close action. Something like this should work:

 

 

log local0. "Slow post detected from [IP::addr]. Connection closed."