Custom dynamic signature

Question

Hello,We have a problem with a few clients that, from time to time, spamming us with specific parameter in the body.&nbsp;For example, regular traffic is 10 TPS of parameter ABC, and sometimes those requests could be X100 more.I'm looking for a mechanism to mitigate those problematic requests when they occur.Is it possible to use the BADoS tool with a dynamic custom signature option?When some of the clients are spamming us by IP with parameter Y in the body, enforce the dynamic signature (automatic or manually)This should allow me to block only the spam amount of the requests with this parameter from a specific IP and to not affect other clients' legitimate requests.But I can see only an option for 'Headers' in dynamic custom signature configurations.Is there an option to check the body?Is there any other solution that can match my problem? iRule?I appreciate your help!

jeffrey_granier · Answer

Hi Max,
An iRule can help with this.&nbsp; I found some irule constructs from another article that should be able to be re-used with some additions (check the last two irule snippets ---&gt;&nbsp;iRule for rate limiting. - DevCentral (f5.com)
If your looking to key off body request you can also leverage the&nbsp;HTTP_REQUEST_DATA (f5.com)&nbsp;&amp;&nbsp;HTTP::payload (f5.com)&nbsp;within the snippets from the irule examples in the above article.&nbsp; Hope this helps

maxmedov · Answer

Hi&nbsp;Jeffrey_Granier,&nbsp;I Think iRule is not the best option because it will require decrypting all requests and searching in the body for this parameter; it could load the device.Also, the iRule will work for all the clients and block false requests from valid users (who are not spamming)I thought it was possible to do it by BADoS.Or I wrong?

jeffrey_granier · Answer

HI Max,
Yes using&nbsp;BADoS should be your first line of defense, the abnormal traffic pattern that deviates from the baseline should generate the dynamic signature. Do you have any that show up , could you post a snippet?&nbsp; Irules would be last option if this cannot be configured using the detected dynamic signatures.

maxmedov · Answer

Hi,&nbsp;Jeffrey_Granier. I'll&nbsp;do the test of the BADoS today and will update you.For how long is it recommended to learn the traffic before the attack (for the baseline), and for how long do I need to run the attack (Spam of this parameter)Also, should it be blocked by the source IP and not affect the other clients that sent that parameter too, right?

maxmedov · Answer

Jeffrey_Granier&nbsp;I've tried to reproduce it today but without success.I send for about half hour from one client IP requests with this parameter - about 4TPSand after that, spam with another client IP for about 30-40 TPS for another half hour with this parameterBADoS has not recognized this as an anomaly; I'm not sure why...From the documentation, it should detect anomalies of high volume unpredictable traffic and generate a signature tor other mitigations (depending on the conditions)

Forum Discussion

Custom dynamic signature

5 Replies

Recent Discussions

BWC iRule

Citrix XenServer Big-IP Upgrade help

iRule condition - request contains more than 10000 parameters

Hi All, We have viprion 4300 with 4450 blades with 6 blades all blades having same configuration

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Customized Bot Signature not working

Mitigating log4j (CVE-2021-44228) with AFM Protocol Inspection Custom Signatures

Using Perl Compatible Regular Expressions (PCRE) in Protocol Inspection Custom Signatures

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

AFM Protocol Custom Signatures for Spring4Shell and Spring_Cloud (CVE-2022-22963 and -22965)