Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

I am wanting to configure something to looks for the following patterns that pertain to recent DDoS attackes that have been going around and log the event.

 

·   UDP packets containing this RegEx: "\x2e{250}" or "\x2e{250,}"

·   TCP and UDP packets containing this RegEx: "\x41{250}" or "\x41{250,}"

·    TCP packets containing this RegEx: "(?i)User-Agent[^\r\n]+curl\x2f\d\x3e"

·    TCP packets containing this RegEx: "User-Agent[^\r\n]+PHP\x2f"

I am pretty sure I can do this with an iRule, it has also been suggested by a collegue that it may be better to do a custom attack siganture within ASM.  I wanted to get some opinions on which one would be the better way to accomplish this.

 

I have written a few iRules nothing, but have not attempted to do a custom attack signature yet.  Any thoughts or guidance on this is appreciated. 

 

Mike


 


3 Answer(s):

Hi Mike,
ASM signatures can detect that within HTTP requests, however, from what you describe (especially the need for UDP), it seems that this isn't part of HTTP.
The general advice is to use ASM for anything that is HTTP related (ASM sigs are faster than iRules) and iRules for anything else.
Hi Mike,
ASM signatures can detect that within HTTP requests, however, from what you describe (especially the need for UDP), it seems that this isn't part of HTTP.
The general advice is to use ASM for anything that is HTTP related (ASM sigs are faster than iRules) and iRules for anything else.
Ido,
Thanks for the advice, is there any documentation/wiki on writing custom attack signatures like what is out there for iRules?

Your answer:

You must be logged in to reply. You can login here.