HTTP slow http request/post/reading attack防御

HTTP slow http request , slow http post, slow http reading. 统称 SHA

各自原理这里不再描述。简述F5防御方法:

1. slow request
   HTTP profile自身可防御，如果需要快速主动断开连接，可配合irule
2. slow post
   使用ASM，V13之前通过调整系统全局的internal的slow transaction 两个参数防御。In version 11.3.0, the ASM module's low-and-slow prevention works on inbound requests such as a Slow POST.
3. slow reading，可调整tcp profile的0窗口探测超时参数，如果攻击端不是发起0窗口，则可以额外考虑以下irule
   
   when SERVER_CONNECTED { TCP::collect } when SERVER_DATA { set rtimer 0 # Time in milliseconds before HTTP response read is considered slow: after 5000 { if { not $rtimer} { set hsl [HSL::open -proto UDP -pool hsl_pool] # Slow read detected for this server response. Increment the count by adding a table entry: # Add the client source IP::port to the subtable with a timeout table set -subtable "MyApp" "[IP::client_addr]:[TCP::client_port]" "ignored" 180 # If we are over the concurrency limit then reject if { [table keys -subtable "MyApp" -count] > 5} { clientside {reject} table delete -subtable "MyApp" "[IP::client_addr]:[TCP::client_ port]" HSL::send $hsl "Dropped [IP::client_addr] – reading too slow" } } } TCP::notify response TCP::release TCP::collect } when USER_RESPONSE { set rtimer 1 } when CLIENT_CLOSED { table delete -subtable "MyApp" "[IP::client_addr]:[TCP::client_port]" }

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

   when SERVER_CONNECTED {   TCP::collect   }   when SERVER_DATA {   set rtimer 0   # Time in milliseconds before HTTP response read is considered slow:   after 5000 {   if { not $rtimer} {   set hsl [HSL::open -proto UDP -pool hsl_pool]   # Slow read detected for this server response. Increment the count by adding a table entry:   # Add the client source IP::port to the subtable with a timeout   table set -subtable "MyApp" "[IP::client_addr]:[TCP::client_port]" "ignored" 180   # If we are over the concurrency limit then reject   if { [table keys -subtable "MyApp" -count] > 5} {   clientside {reject}   table delete -subtable "MyApp" "[IP::client_addr]:[TCP::client_ port]"   HSL::send $hsl "Dropped [IP::client_addr] – reading too slow"   }   }   }   TCP::notify response   TCP::release   TCP::collect   }   when USER_RESPONSE {   set rtimer 1   }   when CLIENT_CLOSED {   table delete -subtable "MyApp" "[IP::client_addr]:[TCP::client_port]"   }