THC SSL DOS , iRule to limit the connection from one client ip in 60 second interval

Question

Hello,
 i read the articel "F5 Friday Mitigating the THC SSL Dos Attack".
 I'm running version 10.2.2 + Hotfix-3, so all my ssl virtual server
 will drop SSL renegotiation requests.
 So I had a look at the side http://www.thc.org/thc-ssl-dos/ and found this comment:------&lt; schnipp &gt;-----2011-OCT-25 PRIVATE RELEASE:
People are asking us about the private release that works against servers
that do not support SSL renegotiation. We will not release it.
Meanwhile the good news is that openssl can be used to perform the same attack
It's not as elegant as the private thc-ssl-dos but works quite well indeed.
2 simple commands in bash:
-----BASH SCRIPT BEGIN-----
thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl s_client -connect 127.0.0.1:443 2&gt;/dev/null; done }
for x in `seq 1 100`; do thc-ssl-dosit &amp; done
-----BASH SCRIPT END-------
------&lt; schnapp &gt;-----
 Is there an iRule available to limit the connection from one client ip-address
 in 60 second interval, for example 10 tcp connections per 60 seconds?
 The connection information about the client ip address must shared among all tmm process.
 Will an iRule solution work with systems running more then one tmm process,
 for example a BIG-IP 3900 with 4 tmm processes?
 If the iRule is added to three virtual server, will the stored client ip-address information
 be stored for each virtual server or will all three virtual server share the client
 ip-address information?
Kind regards
Klaus

michael_yates · Answer

Hi Klaus, 
&nbsp;  
&nbsp; Take a look at this article:   
&nbsp; iRule::ology; Connection Limiting Take 2 
&nbsp;  
&nbsp; Question:  Is there an iRule available to limit the connection from one client ip-address in 60 second interval, for example 10 tcp connections per 60 seconds? 
&nbsp; Answer:  Yes.  The iRule in the article above can do it using the Table Command. 
&nbsp;  
&nbsp; Question:  The connection information about the client ip address must shared among all tmm process.  Will an iRule solution work with systems running more then one tmm process, 
&nbsp;  for example a BIG-IP 3900 with 4 tmm processes? 
&nbsp; Answer:  Yes.  The Table is not only available across TMM's, but across BIP-IP's in an HA Pair.  You can read more about it here The Table Command 
&nbsp;  
&nbsp; Question:  If the iRule is added to three virtual server, will the stored client ip-address information be stored for each virtual server or will all three virtual server share the client 
&nbsp;  ip-address information? 
&nbsp; Answer:  In the article example, it would holistic to the BIG-IP because of the variable name.  If you wanted it to be specific per Virtual Server you could create different instances of the iRule and change the variable names that are stored in the table. 
&nbsp;  
&nbsp; Hope this helps. &nbsp;

klaus_gerthein1 · Answer

Hello Michael, 
&nbsp;  
&nbsp;  great article,this solves my problem. 
&nbsp;  Thanks for your help. 
&nbsp;  
&nbsp; Kind regards 
&nbsp; Klaus

Forum Discussion

THC SSL DOS , iRule to limit the connection from one client ip in 60 second interval

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Log client to vip connections

Limit Connections From Client

Connect to the F5 VPN with BIG-IP Edge Client

F5 Connection Mirroring question

iRule based RADIUS Client Stack