Drop HTTP GET request based on host

Question

I'm trying to do a simple iRule where if the HTTP request contains a particular address the connection is dropped.  This is to prevent a shared webserver from being DDOS'd due to HTTP GETs to a particular site.  I have the following (obviously changing domain.com to the website I want to drop traffic to): 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;  if { [HTTP::host] contains "domain.com" }{ 
&nbsp;     TCP::release 
&nbsp;     return } 
&nbsp; } 
&nbsp;  
&nbsp; The iRule is being processed but it looks like the traffic isn't matching thus isn't being dropped. 
&nbsp;  
&nbsp; Any suggestions on an error in my code or a better way to achieve this? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; George

hooleylist · Answer

If you use reject, instead of TCP::release, the TCP connection will be reset.

when HTTP_REQUEST {  
    if { [string tolower [HTTP::host]] contains "domain.com" }{  
        Reset the TCP connection 
       reject 
  
        End processing this rule event 
       return  
    }  
 }

It might be more secure to positively define which host header values you do want to allow and send a reset for all others.  You could do this for a single host as you've done above, or create a list of the allowed host header values in a datagroup (called a class in the bigip.conf). 
  
 Single allowed hostname: 
  
 when HTTP_REQUEST {  
    if { not ([string tolower [HTTP::host]] contains "allowed.domain.com")}{  
        Reset the TCP connection 
       reject 
  
        End processing this rule event 
       return  
    }  
 }

Multiple allowed hostnames defined in a datagroup called allowed_hostnames: 
  
 when HTTP_REQUEST {  
    if { not ([matchclass [string tolower [HTTP::host]] contains $::allowed_hostnames])}{  
        Reset the TCP connection 
       reject 
  
        End processing this rule event 
       return  
    }  
 }

Aaron

Forum Discussion

Drop HTTP GET request based on host

1 Reply

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

F5 AWAF - bypass request based on the pressence of a request header - value

How do I drop traffic on ASM?

Distributed caching of authentication requests with NGINX Ingress Controller

Logging DNS Requests

iRule based RADIUS Client Stack