More info on the Slowloris attack here. http://www.funtoo.org/en/security/slowloris/ To mitigate this the following CSS config was given. I converted it to the ACE using the web based conversion tool on the ACE
# CSS
content www_80_rule
vip address 10.5.154.200
protocol tcp
port 80
add service wwwserver1_80
add service wwwserver2_80
url "/*"
active
# ACE
class-map type http loadbalance match-any DELAYED_BINDING
match http url "[.]*"
policy-map type loadbalance first-match web_services
class DELAYED_BINDING
serverfarm web_services
Unfortunately when applied to a server farm all HTTP traffic is denied. Not sure what I'm missing. Has anyone successfully used a delayed binding to mitigate this kind of attack?