Solved: Re: DoS attack violation identified when using x-dynatrace field

sriaravind · ‎25 May 2021

Hi,

We are using the x-dynatrace header field to monitor the messages by injecting from the Dynatrace Agent. And some of the requests are blocked due to "Jackson data-bind BigDecimal DoS (Header)". In this case, the x-dynatrace field got value as below,
X-dynaTrace: FW4;-428057869;14;-1830560483;6305125;0;1075664345;735;639a;1h0101c1d4d840c1e2f1f3f7e2e4d7f140404060a9804f20172e100000000000000000000000000000000000000000000000004c533234375349503200433030302e4541492e4f524445525355425245535000;2h01;3h92e3dd1d;4h603565;5h01
The above Highlighted value is the detected keyword for Jackson data-bind BigDecimal Denial of Service.

The F5 WAF blocks the request as it contains "e100000000" in the header value. This will be detected by F5 WAF rules as a DOS attack based on the CVE security flaws (https://nvd.nist.gov/vuln/detail/CVE-2018-1000873).

How can we skip generating the values with highlighted value?

Is this common issue and what are the resolutions that we can try to fix this issue?

What is the structure/format of x-dynatrace header? Is it possible to configure at OneAgent level?

ChadTurner · ‎17 Jun 2021

I would recommend opening a support ticket on this so support is aware of the issue and can put a solution in across the platform

-Chad

DanielS · ‎01 Nov 2021

I would recommend to have in consideration that to fully enable RUM, you must verify the configuration of your firewalls, proxies, and web servers and allow all required data to pass through. I leave the link to the article.

https://www.dynatrace.com/support/help/how-to-use-dynatrace/real-user-monitoring/setup-and-configura...

The true delight is in the finding out rather than in the knowing.