I need to set up a new irule for basically mitigate a DoS attack. Specifically should work in case of TCP Flag Attacks ( SYN, ACK, FIN and RST) . Could someone help me with this? Also should have to work under an UDP flood attack. Im starting from scratch so any help on this would be very welcomed. Thanks folks.
A lot of what you are asking for is already baked into the device.
See: K14813: Detecting and mitigating DoS/DDoS attacks (11.4.x - 12.x)
Thanks Michael. I went through that article but still need some kind of guidelines ( specially for a better control) for building out a new irule in case of detecting suspicious activities or even ddos attacks. how can I set up TCP for defending against Flag Attacks? Many thanks again for helping out.
I don't think you can inspect TCP flags using irules, so this approach seems unviable. You should look at using one of the standard modules/features built into the product that accomplish this objective as Mr Yates has already suggested.
thank you both!
You can have a look at TCP/IP flags and options, If you use the packet filters (Network > Packet Filters). Event name is
FLOW_INIT. Link is
here. Then use DATAGRAM commands to access the flags and options.
Its link is here
Network > Packet Filters
Thanks Faruk. I see that both are very related. what I need is a simple example of how to limit or discard with one irule thousands of SYN TCP packets ( or RST or FIN) originating from the same IP source, whenever a threshold is exceeded, but allowing all the rest. Thanks in advance, CK