how to set iRule against DoS attack

Hi I just merged the Nimda and CodeRed scripts into one and check the syntax was ok on my LTM.

 

 

------------------------------

 

CodeRed and Nimda prevention

 

------------------------------

 

when HTTP_REQUEST {

 

if {([HTTP::uri] contains "default.ida") or ([HTTP::uri] matches_regex ".*cmd.exe*.") or ([HTTP::uri] matches_regex ".*root.exe*.") or ([HTTP::uri] matches_regex ".*admin.dll*.") }

 

{

 

log local0. "client: [IP::client_addr], requested [HTTP::host][HTTP::uri]"

 

discard

 

} else {pool livepool}

 

}

 

 

Heres the log info (Modified of course):

 

 

Rule CodeRed_And_Nimda_Attack HTTP_REQUEST: client: , requested www.abc.com/root.exe

 

 

What I can't tell is if anything is getting blocked.

Hi grimish,

Nice addition. I think using a string function instead of a regex would be more efficient. Here are a couple of examples:

when HTTP_REQUEST {
   set uri [string tolower [HTTP::uri]]
   if { ($uri contains "default.ida") 
   or ($uri contains "cmd.exe") 
   or ($uri contains "root.exe") 
   or ($uri contains "admin.dll") }{
      log local0. "client: [IP::client_addr], requested [HTTP::host]$uri and was discarded"
      discard
   } else {pool livepool}
}

Or with a host header restriction and the URI filtering:

when HTTP_REQUEST {
   set uri [string tolower [HTTP::uri]]
   if { not ( [string tolower [HTTP::header Host]] contains "mysite.com" ) or (
      ($uri contains "default.ida") 
      or ($uri contains "cmd.exe") 
      or ($uri contains "root.exe") 
      or ($uri contains "admin.dll")) }{
      log local0. "client: [IP::client_addr], requested [HTTP::host]$uri and was discarded"
      discard
   } else {pool livepool}
}

To test this, you can make a request to the VIP with one of these rules configured. The browser should hang as the request is ignored (discarded), until a timeout is reached. The /var/log/ltm file should also log the client IP address and host/URI.

Aaron

Hi Aaron,

 

 

Will have a go at this, not sure what the "tolower" does?

 

 

ps.

 

 

Credit should go to other who posted the CodeRed and Nimda seperately ;-)

 

 

 

have another requirement coming up soon, basically need to do 1400 url rewrites on the LTM so was wondering if this is firstly possible and secondly what's the best way of doing this?

Hi Aaron,

 

 

iRule works a treat. I put this on the SSL VIP assuming this is where it needs to be...next is to combine the Header Stripper and http redirects.

The above contents are defenses tech for Nimda,codred etc.

 

The reply that I want is a F5 KEY attack defense.

Can you give a bit more detail on what you're trying to block with an iRule?

 

 

In your original post, you said 'I want to know how to prevent to the bigip system with iRule'. Can you elaborate?

 

 

Thanks,

 

Aaron