Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Block a DoS attack (TCP flag and/or UDP flood) with an iRule

Dear community,

I need to set up a new irule for basically mitigate a DoS attack. Specifically should work in case of TCP Flag Attacks ( SYN, ACK, FIN and RST) . Could someone help me with this? Also should have to work under an UDP flood attack. Im starting from scratch so any help on this would be very welcomed. Thanks folks.

0
Rate this Question
Comments on this Question
Comment made 14-Sep-2017 by Michael Yates 745

A lot of what you are asking for is already baked into the device.

See: K14813: Detecting and mitigating DoS/DDoS attacks (11.4.x - 12.x)

0
Comment made 18-Sep-2017 by titankapo 1

Thanks Michael. I went through that article but still need some kind of guidelines ( specially for a better control) for building out a new irule in case of detecting suspicious activities or even ddos attacks. how can I set up TCP for defending against Flag Attacks? Many thanks again for helping out.

0
Comment made 22-Sep-2017 by BinaryCanary

I don't think you can inspect TCP flags using irules, so this approach seems unviable. You should look at using one of the standard modules/features built into the product that accomplish this objective as Mr Yates has already suggested.

0
Comment made 22-Sep-2017 by titankapo 1

thank you both!

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Guy,
You can have a look at TCP/IP flags and options, If you use the packet filters (Network > Packet Filters). Event name is FLOW_INIT. Link is here. Then use DATAGRAM commands to access the flags and options. Its link is here

0
Comments on this Answer
Comment made 25-Sep-2017 by titankapo 1

Thanks Faruk. I see that both are very related. what I need is a simple example of how to limit or discard with one irule thousands of SYN TCP packets ( or RST or FIN) originating from the same IP source, whenever a threshold is exceeded, but allowing all the rest. Thanks in advance, CK

0