Forum Discussion
Arie
Feb 01, 2013Altostratus
Posted By ChadBigIP on 01/31/2013 08:23 AM
Here is another question:
In my Apache logs, I am seeing these:
142.4.117.129 - - [31/Jan/2013:11:12:27 -0500] "GET http://www.mmadsgadget.com/t?id=cbf37bc9-5698-f7c4-0938-5ca431da2d2d&size=300x250 HTTP/1.0" 302 219 "http://www.homesearchcar.com/?p=1252" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"
The initial GET should be originating from my server like: GET "/dr1/home/index.html" 200 864 "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"
The initial GET is an EXTERNAL domain...which is BAD. But all responses from Apache are 302 (Redirect).
I think they are trying to use my server as a Proxy - but they are getting the response 302 from Apache.
Is there a way to create an iRule to prevent these from even hitting the webservers and DROP or REJECT directly from the iRule?
Maybe take the domain and put it into the iRule and if it is present, then DROP or REJECT?
I would like to just block the IP, but as you can see from this URL: http://www.projecthoneypot.org/ip_142.4.117.129 - there
are hundreds of IP's that are in the 142.X.XXX.XXX network, that is why if the iRule could look at the GET request domain - maybe
this would just deny the requests and take care of the hundreds of IP's that are trying this redirect exploit....
Thanks.
Is mmadsgadget.com your domain, or did a 3rd party configure their A-record with your IP-address? If the latter is the case, couldn't you simply create a whitelist for the hosts that are allowed?
Also, it sounds like there will be a constant feed of new IP-addresses you want to add to the blacklist. If that's the case you may want to tap into a service that provides updates with known bad IP-addresses. Quite possibly this is something the ASM-module can handle.
Lastly, keep in mind that every time you save a class (Data Group) it becomes temporarily unavailable. Unfortunately, I (and others) haven't gotten much traction with F5 on this issue.