My Buddy Byron: Security iRules

So, I was having lunch with my buddy Byron, who is a fantabulous Sales Engineer here at F5. I know, the world sales sends shivers down my spine to, but trust me, he’s a sharp engineer. We do what most co-workers do at lunch, complain about the weather, the Seahawks, and of course… work. I forget how we got on the topic, but somehow we ended up in a rousing discussion around iRules and their usefulness. Both of us had gotten multiple requests around “Hey, what can iRules do to make me safer”? Luckily for us, Byron being the driven guy he is, took the time to create a fact sheet completely around security iRules.

(Disclaimer: This has been slightly modified from original content)

Fact Sheet: Security iRules

The iRule	The Solution
Transparent Web App Bot Protection	Block illegitimate requests from automated bots that bombard a contact form
Distributed Apache Killer	Deny application requests that cause a Web server Denial of Service (DoS)
DNS Blackhole with iRules	Prevent employees from accessing known bad websites at the DNS level
Thwart Dictionary Attacks	Restrict excessive login attempts using the Exponential Backoff algorithm
SSL Renegotiation DOS attack	Drop connections that renegotiate SSL sessions more than 5 times a minute

So, what you have here are 5 iRules that in 5 minutes can help improve your security posture.

Transparent Web Application Bot Protection:

This iRule is rather cool alternative to CAPTCHA’s that can work well in situations. It also includes an admin interface iRule. That’s pretty shiny

Distributed Apache Killer:

We security folks are so lucky. It seems like every other month or so, another “Killer” comes out. The loic, hoic, D-A-K, all as deadly as a Drink Delivering Dalek

DNS Blackhole:

DNS is all the rage on the interwebs. Dan Kaminski has consistently preached on the importantly of DNS (much tech love/thank to Dan for his work), and rightfully so. The DNS blackhole iRule allows an admin to intercept requests to DNS and respond back with a DNS blocking page. Great application: Known malware sites, HR policy blocks, and of course world of warcraft. It doesn’t stop users from surfing via IP though (keep in mind)

Thwart Dictionary Attacks:

Brute Force.. it’s a brutal use of force to attempt to login. Attacker simply tries to login with every potential password that a user might choose. Given the time and cycles, they will succeed. So, what do we do? Limit a user to 3 attempts before locking them out for 5 minutes? That could work, but lets look at a more elegant weapon, for a more civilized age

The exponential backoff algorithm determines the amount of time a user is locked out, based upon the number of times they failed login attempts during a window. It uses some nifty math to make it all happen.

Ssl renegotiation dos attack:

Ah the classics. SSL renegotiation was quite in fashion, until it was proven that you can DoS a server with ease from a single system, due to the processing expense of ssl renegotiation. While the F5 was a tougher nut to crack than a standard server, we wanted get out a mitigation quickly, just in case.

I want to thank Byron for his great work on putting the document together! Have a great day all.