Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
1
Replies

ACE config for delayed binding to mitigate Slowloris HTTP DOS attack

ecthompson
Level 1
Level 1

‎09-22-2010 08:38 AM

More info on the Slowloris attack here.  http://www.funtoo.org/en/security/slowloris/  To mitigate this the following CSS config was given.  I converted it to the ACE using the web based conversion tool on the ACE

# CSS

content www_80_rule
        vip address 10.5.154.200
        protocol tcp
        port 80
        add service wwwserver1_80
        add service wwwserver2_80
        url "/*"
        active

# ACE

class-map type http loadbalance match-any DELAYED_BINDING
   match http url "[.]*"

policy-map type loadbalance first-match web_services
  class DELAYED_BINDING
    serverfarm web_services

Unfortunately when applied to a server farm all HTTP traffic is denied.  Not sure what I'm missing.  Has anyone successfully used a delayed binding to mitigate this kind of attack?

Labels:
0 Helpful
1 Reply 1

rocash
Cisco Employee
Cisco Employee

‎09-22-2010 01:22 PM

Try changing your wildcard expression to:

class-map type http loadbalance match-any DELAYED_BINDING
   match http url .*

Which is the convention supported by the ACE. See:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1313278

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents