security vulnerability in security scanning: slow HTTP attacks

1qaz · ‎03-Apr-2022

Hi, My company's F5 device has a security vulnerability in security scanning: slow HTTP attacks,I found that there is an irules on the askf5 website for Mitigating Slowloris DoS attacks(https://support.f5.com/csp/article/K10260😞

when CLIENT_ACCEPTED {
set rtimer 0
after 1000 {
if { not $rtimer} {
drop
}
}
}

when HTTP_REQUEST {
set rtimer 1
}

Note: This iRule may cause issues for legitimate users connecting over very slow links.

But I'm worried that legitimate users will have a slow connection due to network delay, which will lead to the problem of connection reset,So i wrote an irules. Can this irules effectively deal with security scanning and slow HTTP attacks?Thanks!

when CLIENT_ACCEPTED {
set id [after 1000 {
TCP::close
}]
}

when HTTP_REQUEST {
if {[info exists id]} {
after cancel $id
}
}

Dario_Garrido · ‎27-Apr-2022

Hello 1qaz.

I've not tested your iRule in my environment, but if you analyze the code, you will see that your logic approach is equivalent to the F5 proposal, so legitimate users over very slow links will have the same problem as with the other iRule.

This is the F5 iRule explained.

when CLIENT_ACCEPTED {
	# Set variable 'rtimer' to zero
	set rtimer 0
	# Run this next code after 1 second
	after 1000 {
		# if the connection is still zero (HTTP_REQUEST event didn't occur), drop the connection
		if { not $rtimer} {
			drop
		}
	}
}

when HTTP_REQUEST {
	# This query is legitime, so change 'rtimer' to one
	set rtimer 1
}

Regards,
Dario.

DevCentral

security vulnerability in security scanning: slow HTTP attacks

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

security vulnerability in security scanning: slow HTTP attacks

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards