Security iRules

Ever wonder what iRules have to do with security? Check out these iRules!

Enhance Protection from Targeted Attacks
HashDos Defender – This iRule guards against Hash collision “HashDoS” attacks through HTTP POST Parameters. By enabling F5® BIG-IP® solutions to limit the post size and post variables, the attack is stopped before it reaches from the backend servers, preventing servers from getting overwhelmed and thereby protecting the application. Please see this blog post for more information.

SSL Renegotiation DoS Countermeasure – This simple iRule enables BIG-IP solutions to mitigate SSL renegotiation DOS attacks. Without it, all web servers that support SSL/TPS are potentially susceptible to an asymmetric attack where a small number of malicious clients can take down a server. Please see this blog post for more information.

Phishing Protection – This iRule helps mitigate phishing and scraping attempts by identifying suspicious requests from an unknown referrer and either blocking them outright or injecting code into the HTTP response to restrict their ability to duplicate an organization’s site content.

Control Access to Valuable IT Resources

Controlling Bots – If left unchecked, bots can generate a critical mass of requests and support a number of attack types targeting an organization’s website. This iRule can be used to assign bots to a specific pool, throttle bot requests, introduce an artificial delay for bot requests, or simply block them completely.

HTTP Request Throttling – By design, web servers have limited CPU and memory resources. Servicing all requests on a first-come, first-served basis can open the door for attackers seeking to occupy all available system resources with specially crafted requests. By detecting the nature of specific requests, an IT administrator using this iRule can slow the rate of particular request types and identify malicious actors.

Client Blocking Using IP Intelligence – With this iRule, BIG-IP solutions can automatically connect to an IP reputation database every five minutes to update a reference list of bad IP addresses, helping keep the latest known offenders at bay.

Safeguard Sensitive Information
Credit Card Tokenization – Many organizations employ a tokenization process to protect confidential information such as credit card details. This iRule bolsters security capabilities by sitting in front of a secure web application and using sideband connections to a second virtual server that processes requests to and from the tokenization service.

Data Loss Prevention – This iRule helps organizations limit the chance of data leakage by configuring a “Regular Expression” matching technique that can recognize and remove certain types of information (credit card numbers, etc.) from server responses.

Improve DNS Security

DNS Blackholing iRules – These iRules can be used to (1) protect outgoing web browsers from harmful sites, (2) protect network resources from certain DNS users or subnets, and (3) protect DNS infrastructures from certain source addresses. These capabilities can be used to prevent internal users from accessing harmful sites, direct users requesting certain hostnames to alternate servers for access control, and implement other provisions to enhance DNS security.

Want to know more?

Check out the iRules 101 series here

Published May 01, 2015
Version 1.0
application delivery
dev
devops
iRules
security
tech tip

Was this article helpful?

No CommentsBe the first to comment