In my [previous post], I mentioned the Slowread addition to the slowHttptest suite.  After a quick source code mode, I was able to make it a nice little full on DoS tester. Luckily, it looks like the F5 devices have a built defense for it:


Under Local Traffic –> Profiles –> Protocol –> Tcp




Zero Window Timeout

Specifies the length of time that the TCP connection can receive zero-length window probes before the system closes the connection. The timer starts when an effective window size becomes zero, and stops when the window size becomes greater than zero. If the timer elapses, the connection is terminated. This setting is useful for handling slow clients with small buffers, such as cell phones. The default is 20000 milliseconds.


To make sure it worked as I thought it did, I figured I'd create a quick test virtual setup. This is a simple config, LTM VIP to a single pool member.

Seeing is believing:




Being that the slowread appears to keep the tcp connection open with windowprobe acks, adjusting that setting should help limit the potential vuln. The default is 20 seconds, which seems quite adequate. If you want to tighten a bit more, cut in in half to 10 seconds. (shouldn't affect most normal networks, but if you're a cell network, think a bit more about it). As always, mileage may vary.