irule to mitigate HTTP de-sync attack

Question

Hi Experts, I'm here to seek some help in implementing irule that would search the http requests that contains both the headers 1. Transfer Encoding 2. Content-length and reset the connection for the these requests. This is to mitigate the HTTP de-sync attack on the F5 units which has the ASM security policy in transparent mode. I tried the below, but it didn't work. Request your help. when HTTP_REQUEST {
if { [class match [HTTP::header "Content-length"] &gt; 0 ] AND [HTTP::header "Transfer-encoding"] equals "chunked"} {
reset
}
}
I need to look at the HTTP requests which has the headers content-length &gt; 0 and with header transfer-encoding as chunked, drop this connection, allow the rest of the request to through.

ivan_chernenkii · Answer

Hello,&nbsp;Why you can not use standard "HTTP Desync Attack Attempt" attack signature for it?&nbsp;Thanks, Ivan

Forum Discussion

irule to mitigate HTTP de-sync attack

1 Reply

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Mitigating OWASP Web Application Risk: SSRF Attack using F5 XC Platform

Mitigating OWASP Web Application Risk: Broken Access attacks using F5 Distributed Cloud Platform

CitrixBleed Mitigation CVE-2023-4966

F5 Distributed Cloud L3-L7 DDoS Mitigation