Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

F5 LTM/ASM , I-rule to ignore query string to prevent DDOS attack.


Hello guys,

My environment : F5 ltm, ASM learning mode.

Webapp: Public facing site with many pages with  few search pages and filtering pages.

I see many people are hitting the site with unknow query string and trying to flood the site.

Is there a way to remove all the query string parameters and redirect to the url with out query string like url redirect module.

I want to exclude some pages that allow content filtering like using query string .

Do we want to use Irule to achieve this or ASM/LTM module has a better solution.  I rules sure I can achieve this, but not sure if this is the best solutions.

Frequently someone/bot/crawler  is trying to hit to make the CPU run very high like a DDOS kind of attack.

Any pointer is appreciated.




Hi Juna,
You could use this irule:

 if {!([string tolower [HTTP::query]] contains "utm" || [string tolower [HTTP::query]] contains "gclid")} {
  HTTP::respond 302 Location ""

F5 Employee
F5 Employee

Hello @sunny123!

@KeesvandenBos has provided a viable iRule solution, for a specific attack but to continue answering the second part; yes! Advanced WAF has denial of service capabilities specifically to mitigate these types of attacks.

Here is a great video overview of how behavioral DoS can react to stress on your backend systems and mitigate aggressive requests.

There's an entire implementations guide "Preventing DoS Attacks on Applications"

And well, because a lot of these types of requests are automated, F5's bot defense can help you identify and mitgate automated requests.