Irule for DDOs Attacks!

Question

Hello,&nbsp;
I´m working with a client that is getting DD0s attacks from random IPs. We have some limitations with the Hardware as we only have an ASA and the F5 but no additional security modules, and no IPs for the FW. In the ASA I have limited the embryonic connections using TCP Intercept. &nbsp;
In the F5 i would like to write an irule to deny incoming connections containing the following string: UNION%20SELECT%20&nbsp;
During the attacks we were able to identify that all the IPs contain UNION%20SELECT%20 in the url. So I´m wondering if this could work:&nbsp;
/usr/libexec/bigpipe rule DDOs '{&nbsp;
when HTTP_REQUEST {&nbsp;
  if { [string tolower [HTTP::uri]] contains "UNION%20SELECT%20" } {&nbsp;
    log local0. "Rejecting [HTTP::uri] request"&nbsp;
    reject&nbsp;
  }&nbsp;
} &nbsp;
}'&nbsp;
1- I need this apply for all the VIPs, for all the incoming connections.
2. I know that we should have Security Modules or an IPs or NextGen Firewall, but unfortunatly we have limitations.
3. Any other suggestion is welcome, I really appreciate your help!&nbsp;

rico · Answer

Your iRule should work except for the fact that you are checking for an uppercase string in a lowercase string.
if { [string tolower [HTTP::uri]] contains "UNION%20SELECT%20" } {

Should be
if { [string tolower [HTTP::uri]] contains "union%20select%20" } {

Here is some additional information on how to help mitigate DDoS attacks with the LTM module.
F5 also has their Silverline product which could help. I figured I would mention it though I understand that the client may have restrictions.

dylan_375544 · Answer

The one issue I see is that you have "UNION%20SELECT%20" as what you are searching for.&nbsp;
But you also have "stringtolower" which would change the URI to all lowercase, and therefore "UNION%20SELECT%20" would never actually show up since it is in CAPS.&nbsp;
Change that to "union%20select%20"&nbsp;
Hope that helps! If it does please up-vote and select this answer, it'd be greatly appreciated!&nbsp;
-Dylan&nbsp;

dylan_375544 · Answer

I got beat to the punch! :D&nbsp;

rico · Answer

Get out of here Dylan. This is my turf!&nbsp;

dylan_375544 · Answer

Your answer is more thorough. ;)&nbsp;

Forum Discussion

Irule for DDOs Attacks!

6 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

DDoS Attack Trends for 2021

Real Attack Stories: Bank Gets DDoS Attacked

DDoS attacks, CVSS 4.0 and Malware - Nov 6th to Nov 12th, 2023 F5 SIRT This Week in Security

Scrubbing away DDoS attacks

Real Attack Stories: DDoS Against Email Provider