27-Mar-2023 21:47
Hello guys,
My environment : F5 ltm, ASM learning mode.
Webapp: Public facing site with many pages with few search pages and filtering pages.
I see many people are hitting the site with unknow query string and trying to flood the site.
Is there a way to remove all the query string parameters and redirect to the url with out query string like url redirect module.
I want to exclude some pages that allow content filtering like using query string .
Do we want to use Irule to achieve this or ASM/LTM module has a better solution. I rules sure I can achieve this, but not sure if this is the best solutions.
Frequently someone/bot/crawler is trying to hit to make the CPU run very high like a DDOS kind of attack.
Any pointer is appreciated.
Regards
Janu
28-Mar-2023 00:18
Hi Juna,
You could use this irule:
when HTTP_REQUEST {
if {!([string tolower [HTTP::query]] contains "utm" || [string tolower [HTTP::query]] contains "gclid")} {
HTTP::respond 302 Location "http://www.domain.org"
}
30-Mar-2023 16:21
Hello @sunny123!
@KeesvandenBos has provided a viable iRule solution, for a specific attack but to continue answering the second part; yes! Advanced WAF has denial of service capabilities specifically to mitigate these types of attacks.
Here is a great video overview of how behavioral DoS can react to stress on your backend systems and mitigate aggressive requests.
https://www.youtube.com/watch?v=uLhJNoEMsqA
There's an entire implementations guide "Preventing DoS Attacks on Applications"
And well, because a lot of these types of requests are automated, F5's bot defense can help you identify and mitgate automated requests.
HTH
-Brandon