Forum Discussion

PowerShellDon_1's avatar
PowerShellDon_1
Icon for Nimbostratus rankNimbostratus
Oct 11, 2017

Rate limiting - one req per second?

Using ASM - DoS or iRules is it possible to limit one request per second per session? We've had pen testers in the past manage to send 200 requests simultaneously using Burp Sniper multi threaded to achieve a Time of check time of use bug - is this too sensitive for F5 to solve?

 

Thanks,

 

2 Replies

  • It is possible to rate-limit requests even using LTM (using rate-limit class or connection limits) however this will not fix your problem as Time of Check/Time of Use bug is race condition inside your application and should ultimately be fixed by the application developers.

     

    F5 devices are incredibly powerful capable of processing hundreds of thousands of requests per second (in fact 12250v box supports 4 MILLION requests per second) and you want to make F5 4 million times slower because of a buggy application? Sorry for a bit of a rant, but if application developers are available then this is really a bug for them to fix.

     

    To slow down the connection rate you don't actually need ASM - just use the connection rate limit setting on the Virtual Server.

     

  • With ASM or AFM you can use Dos Profile settings...

    Security ›› DoS Protection : DoS Profiles ›› Create New DoS Profile...

     Application Security ›› TPS-based DoS Detection
        TPS reached:  xxx transactions per second
    

    You will need to experiment to determine appropriate values for these settings. If you enable DeviceID in your ASM policy, the client must support Javascript, and may be blocked if it does not do so (even for a policy in Alarm only or Transparent mode). You should also establish a baseline of acceptable traffic levels before trying to exceed TPS detection.

    ASM Webscraping protection may also be of value ...

    Security ›› Application Security : Anomaly Detection : Web Scraping