HTTP slow http request/post/reading attack防御

2017年09月4日 8233点热度 0人点赞 0条评论

HTTP slow http request , slow http post, slow http reading. 统称 SHA

各自原理这里不再描述。简述F5防御方法:

slow request
HTTP profile自身可防御，如果需要快速主动断开连接，可配合irule
slow post
使用ASM，V13之前通过调整系统全局的internal的slow transaction 两个参数防御。In version 11.3.0, the ASM module's low-and-slow prevention works on inbound requests such as a Slow POST.

slow reading，可调整tcp profile的0窗口探测超时参数，如果攻击端不是发起0窗口，则可以额外考虑以下irule

when SERVER_CONNECTED {

 TCP::collect

}

when SERVER_DATA {

 set rtimer 0

# Time in milliseconds before HTTP response read is considered slow:

 after 5000 {

 if { not $rtimer} {

 set hsl [HSL::open -proto UDP -pool hsl_pool]

# Slow read detected for this server response. Increment the count by adding a 
table entry:

# Add the client source IP::port to the subtable with a timeout

 table set -subtable "MyApp" "[IP::client_addr]:[TCP::client_port]" 
"ignored" 180

# If we are over the concurrency limit then reject

 if { [table keys -subtable "MyApp" -count] > 5} {

 clientside {reject}

 table delete -subtable "MyApp" "[IP::client_addr]:[TCP::client_
port]"

 HSL::send $hsl "Dropped [IP::client_addr] – reading too slow"

 } 

 }

 }

 TCP::notify response 

 TCP::release

 TCP::collect

}

when USER_RESPONSE {

 set rtimer 1

}

when CLIENT_CLOSED {

 table delete -subtable "MyApp" "[IP::client_addr]:[TCP::client_port]" 

}