More info on the Slowloris attack here. http://www.funtoo.org/en/security/slowloris/ To mitigate this the following CSS config was given. I converted it to the ACE using the web based conversion tool on the ACE
content www_80_rule vip address 10.5.154.200 protocol tcp port 80 add service wwwserver1_80 add service wwwserver2_80 url "/*" active
class-map type http loadbalance match-any DELAYED_BINDING
match http url "[.]*"
policy-map type loadbalance first-match web_services
Unfortunately when applied to a server farm all HTTP traffic is denied. Not sure what I'm missing. Has anyone successfully used a delayed binding to mitigate this kind of attack?