Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

security vulnerability in security scanning: slow HTTP attacks

1qaz
Nimbostratus
Nimbostratus

‎03-Apr-2022 04:09

Hi, My company's F5 device has a security vulnerability in security scanning: slow HTTP attacks,I found that there is an irules on the askf5 website for Mitigating Slowloris DoS attacks(https://support.f5.com/csp/article/K10260😞

when CLIENT_ACCEPTED {
set rtimer 0
after 1000 {
if { not $rtimer} {
drop
}
}
}

when HTTP_REQUEST {
set rtimer 1
}

Note: This iRule may cause issues for legitimate users connecting over very slow links.

But I'm worried that legitimate users will have a slow connection due to network delay, which will lead to the problem of connection reset,So i wrote an irules. Can this irules effectively deal with security scanning and slow HTTP attacks?Thanks!

when CLIENT_ACCEPTED {
set id [after 1000 {
TCP::close
}]
}

when HTTP_REQUEST {
if {[info exists id]} {
after cancel $id
}
}

 

Labels:
0 Kudos
1 REPLY 1

Dario_Garrido
MVP
MVP

‎27-Apr-2022 01:18

Hello 1qaz.

I've not tested your iRule in my environment, but if you analyze the code, you will see that your logic approach is equivalent to the F5 proposal, so legitimate users over very slow links will have the same problem as with the other iRule.

This is the F5 iRule explained.

when CLIENT_ACCEPTED {
	# Set variable 'rtimer' to zero
	set rtimer 0
	# Run this next code after 1 second
	after 1000 {
		# if the connection is still zero (HTTP_REQUEST event didn't occur), drop the connection
		if { not $rtimer} {
			drop
		}
	}
}

when HTTP_REQUEST {
	# This query is legitime, so change 'rtimer' to one
	set rtimer 1
}

 

Regards,
Dario.
0 Kudos
Copyright © 2023 Khoros, LLC