Mitigating an attack using TCP profiles

Information

Because SLOWRead attacks require the target server to keep the connection open while the client keeps the TCP window size at zero to effectively stall the connection for long periods, you can use the TCP Zero Window Timeout setting within the TCP profile to effectively mitigate these attacks. By default, this timeout is set to 20,000 milliseconds (20 seconds), which is ample to service clients on very low bandwidth links. However, in attack scenarios or if you know that most clients are on modern links, you should consider reducing this timeout until the stress on the target server or BIG-IP system is reduced to an acceptable level.

The attacker can, of course, reduce the amount of time they wait with the TCP window at zero, but doing so increases the bandwidth requirement at the attacker end. Ultimately, this renders the attack unsustainable unless the attacker has access to a distributed attack (bot-net), which can more effectively be mitigated using other mechanisms.

Solution

1. Log in to the Configuration utility.
2. Navigate to Local Traffic > Profiles > Protocol > TCP.
3. Click Create.
4. Enter a name for your profile.
5. For Parent Profile, click the TCP profile already assigned to the virtual server under attack.
6. For Zero Window Timeout, select the Custom check box and enter a reduced value, such as 10000.
7. Click Finished.
8. Navigate to Local Traffic > Virtual Servers > Virtual Server List.
9. Click the name of the virtual server under attack.
10. For Protocol Profile (client), click the profile you created in step 3.
11. Click Update.

See Also

https://support.f5.com/csp/article/K53108777#link_01

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|I, CCI|CCI-002385, Rule-ID|SV-74797r1_rule, STIG-ID|F5BI-LT-000221, Vuln-ID|V-60367

Plugin: F5

Control ID: 68347cb53e87351d075fc1f62e7cf2411bc11fa9afee0630f8a6c2b8e1c47361