F5 LTM/ASM , I-rule to ignore query string to prevent DDOS attack.

sunny123 · ‎27-Mar-2023

Hello guys,

My environment : F5 ltm, ASM learning mode.

Webapp: Public facing site with many pages with few search pages and filtering pages.

I see many people are hitting the site with unknow query string and trying to flood the site.

Is there a way to remove all the query string parameters and redirect to the url with out query string like url redirect module.

I want to exclude some pages that allow content filtering like using query string .

Do we want to use Irule to achieve this or ASM/LTM module has a better solution. I rules sure I can achieve this, but not sure if this is the best solutions.

Frequently someone/bot/crawler is trying to hit to make the CPU run very high like a DDOS kind of attack.

Any pointer is appreciated.

Regards

Janu

KeesvandenBos · ‎28-Mar-2023

Hi Juna,
You could use this irule:

when HTTP_REQUEST {
 if {!([string tolower [HTTP::query]] contains "utm" || [string tolower [HTTP::query]] contains "gclid")} {
  HTTP::respond 302 Location "http://www.domain.org"
}

Brandon_ · ‎30-Mar-2023

Hello @sunny123!

@KeesvandenBos has provided a viable iRule solution, for a specific attack but to continue answering the second part; yes! Advanced WAF has denial of service capabilities specifically to mitigate these types of attacks.

Here is a great video overview of how behavioral DoS can react to stress on your backend systems and mitigate aggressive requests.

https://www.youtube.com/watch?v=uLhJNoEMsqA

There's an entire implementations guide "Preventing DoS Attacks on Applications"

https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-asm-implementations/preventing-dos-attacks-on-appl...

And well, because a lot of these types of requests are automated, F5's bot defense can help you identify and mitgate automated requests.

HTH

-Brandon

DevCentral

F5 LTM/ASM , I-rule to ignore query string to prevent DDOS attack.

Khoros Kudos Award 2022