Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Mirai-Strikeback - iRule to kill Mirai IoT bot processes from your F5

Problem this snippet solves:

In September and October of 2016, a new botnet appeared comprised of DVRs, closed-circuit TVs and other devices using the BusyBox embedded OS. The bot code, however, contains a flaw that can result in a bot segfault when a specially-crafted Location header is sent back to it.

How to use this snippet:

At the time of this writing, no known fingerprints for the Mirai botnet exist. However, Mirai only attacks a single URI at a time, so the iRule watches for this and sends back the specially-crafted location header only if a client requests the same URI ten times in ten seconds. This is a crude detection mechanism and might interfere with legitimate clients (such as an API poll). So use at your discretion.

Comments on this Snippet
Comment made 22-Dec-2016 by Hurricane_1983 180

Hi David,

Is it possible to edit this irule for all url not only a url?i think than this will be work likes web scrabing in asm .

Thanks,

0