Irule for DDOs Attacks!
Hello,
I´m working with a client that is getting DD0s attacks from random IPs. We have some limitations with the Hardware as we only have an ASA and the F5 but no additional security modules, and no IPs for the FW. In the ASA I have limited the embryonic connections using TCP Intercept.
In the F5 i would like to write an irule to deny incoming connections containing the following string: UNION%20SELECT%20
During the attacks we were able to identify that all the IPs contain UNION%20SELECT%20 in the url. So I´m wondering if this could work:
/usr/libexec/bigpipe rule DDOs '{
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] contains "UNION%20SELECT%20" } {
log local0. "Rejecting [HTTP::uri] request"
reject
}
}
}'
1- I need this apply for all the VIPs, for all the incoming connections. 2. I know that we should have Security Modules or an IPs or NextGen Firewall, but unfortunatly we have limitations. 3. Any other suggestion is welcome, I really appreciate your help!