cancel
Showing results for 
Search instead for 
Did you mean: 

irule to mitigate HTTP de-sync attack

newf5learner
Nimbostratus
Nimbostratus

Hi Experts,

 

I'm here to seek some help in implementing irule that would search the http requests that contains both the headers 1. Transfer Encoding 2. Content-length and reset the connection for the these requests. This is to mitigate the HTTP de-sync attack on the F5 units which has the ASM security policy in transparent mode. I tried the below, but it didn't work. Request your help.

 

when HTTP_REQUEST { if { [class match [HTTP::header "Content-length"] > 0 ] AND [HTTP::header "Transfer-encoding"] equals "chunked"} { reset } }

 

I need to look at the HTTP requests which has the headers content-length > 0 and with header transfer-encoding as chunked, drop this connection, allow the rest of the request to through.

 

1 REPLY 1

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello,

 

Why you can not use standard "HTTP Desync Attack Attempt" attack signature for it?

 

Thanks, Ivan