03-Apr-2022 04:09
Hi, My company's F5 device has a security vulnerability in security scanning: slow HTTP attacks,I found that there is an irules on the askf5 website for Mitigating Slowloris DoS attacks(https://support.f5.com/csp/article/K10260😞
when CLIENT_ACCEPTED {
set rtimer 0
after 1000 {
if { not $rtimer} {
drop
}
}
}
when HTTP_REQUEST {
set rtimer 1
}
Note: This iRule may cause issues for legitimate users connecting over very slow links.
But I'm worried that legitimate users will have a slow connection due to network delay, which will lead to the problem of connection reset,So i wrote an irules. Can this irules effectively deal with security scanning and slow HTTP attacks?Thanks!
when CLIENT_ACCEPTED {
set id [after 1000 {
TCP::close
}]
}
when HTTP_REQUEST {
if {[info exists id]} {
after cancel $id
}
}
27-Apr-2022 01:18
Hello 1qaz.
I've not tested your iRule in my environment, but if you analyze the code, you will see that your logic approach is equivalent to the F5 proposal, so legitimate users over very slow links will have the same problem as with the other iRule.
This is the F5 iRule explained.
when CLIENT_ACCEPTED {
# Set variable 'rtimer' to zero
set rtimer 0
# Run this next code after 1 second
after 1000 {
# if the connection is still zero (HTTP_REQUEST event didn't occur), drop the connection
if { not $rtimer} {
drop
}
}
}
when HTTP_REQUEST {
# This query is legitime, so change 'rtimer' to one
set rtimer 1
}