Forum Discussion
Colin_Walker_12
May 17, 2011Historic F5 Account
There's an iRule that's most of the way there posted out on DevCentral already in David Holmes' blog about SSL Renegotiation (http://devcentral.f5.com/weblogs/david/archive/2011/05/16/ssl-renegotiation-dos-irule-updates.aspx üòû
when RULE_INIT {
set static::maxquery 5
set static::mseconds 60000
}
when CLIENT_ACCEPTED {
set ssl_hs_reqs 0
}
when CLIENTSSL_HANDSHAKE {
incr ssl_hs_reqs
after $static::mseconds { if {$ssl_hs_reqs > 0} {incr ssl_hs_reqs -1} }
if { $ssl_hs_reqs > $static::maxquery } {
after 5000
log "Handshake attack detected, dropping [IP::client_addr]:[TCP::client_port]"
drop
}
}
That could very easily be modified to fit your needs I think. It's already tracking how many handshakes there are in a given time period, you'd just need to modify the behavior and parameters a bit.
Colin