Create Datagroup/iRule to use with Brute Force IP List

How do I get this working, or setup a DataGroup called "bad-domains" - to be able to block domains and reject or deny their access...

 

 

when HTTP_REQUEST {

 

if { [HTTP::host] equals "www.mmadsgadget.com" } {

 

if { [HTTP::host] equals "mmadsgadget.com" } {

 

if { [HTTP::host] equals "www.contextweb.com" } {

 

if { [HTTP::host] equals "tag.contextweb.com" } {

 

if { [HTTP::host] equals "contextweb.com" } {

 

send a TCP reset

 

reject

 

 

alternatively, redirect somewhere else

 

HTTP::redirect "http://www.somedomainyoufindentertaining.com"

 

}

 

}

 

 

Would this work to block these? I would rather have the domains in a data group...

 

 

see post below:

 

Would this work too? I setup a DataGroup in the Data Editor under STRING - and put in the individual domains in the STRING column, is this OK?

 

 

Here is the iRule I setup:

 

 

when HTTP_REQUEST {

 

if { [class match [HTTP::host] equals bad-domains] } {

 

reject

 

}

 

}

 

 

also, my VIP does not have HTTP PROFILE setup, so it rejected the iRule until I turned on 'http' under HTTP PROFILE - I have never

 

used any HTTP PROFILES, so I am concerned that this might cause a latency issue or slow-down by turning this profile on...

 

 

What do I need to setup for just 'http' profile so that I do not see a performance hit when enabling HTTP Profile: http

 

 

Right now my http is set to: 32768 bytes for Maximum Header Size, Pipeling Enabled, LWS Maximum Columns 80

 

 

Compression: Disabled, URI Compression Not configured, Include Text:

 

 

text/

 

application/(xml|x-javascript}

 

 

Preferred Method: Gzip

 

Minimum Content Length: 1024 bytes

 

Compression Buffer Size: 4096 bytes

 

gzip Memory Level: 8 kilobytes

 

gzip Window size: 16 kilobytes

 

 

CPU Saver: ENABLED

 

CPU Saver High Threshold: 90%

 

CPU Saver Low Threshold: 75%

 

 

RAM CACHE: Disabled

 

Maximum Cache Size: 100 megabytes

 

Maximum Entries: 10000

 

Maximum Age: 3600 seconds

 

Minimum Object Size: 500 bytes

 

Maximum Object Size: 50000 bytes

 

URI Caching: Not Configured

 

Ignore Headers: ALL

 

Insert Age Header: Enabled

 

Aging Rate: 9

 

 

I'd suggest you whitelist rather than blacklist, like so;

when HTTP_REQUEST {
 if { not [class match [string tolower [HTTP::host]] equals safe_host_names] } {
  drop }
  Stop processing the iRule for this event here
  return
}

I have too many domains/sub-domains to put in the white-list...

 

 

I just want to block the domains that are coming through as Apache Response 302 - they are trying to find an Open Proxy.

 

 

Is there a Performance hit doing it this way?

 

 

when HTTP_REQUEST {

 

if { [class match [HTTP::host] equals bad-domains] } {

 

reject

 

}

 

}

 

 

 

Also - enabling HTTP Profile - are there performance hits turning these on as well?

 

Should work fine and shouldn't affect performance I wouldn't of thought. I'd suggest you read up on the HTTP profile, it brings many benefits. Compression is particularly good and works well.

Is it ok that I setup the DataGroup 'bad-domains' using the STRING field in the Data Group Editor inside of F5 iRule Editor?

 

Should be but I don't use it myself so can't be 100%.

Posted By ChadBigIP on 01/31/2013 08:23 AM

 

Here is another question:

 

 

In my Apache logs, I am seeing these:

 

 

142.4.117.129 - - [31/Jan/2013:11:12:27 -0500] "GET http://www.mmadsgadget.com/t?id=cbf37bc9-5698-f7c4-0938-5ca431da2d2d&size=300x250 HTTP/1.0" 302 219 "http://www.homesearchcar.com/?p=1252" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"

 

 

The initial GET should be originating from my server like: GET "/dr1/home/index.html" 200 864 "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"

 

 

The initial GET is an EXTERNAL domain...which is BAD. But all responses from Apache are 302 (Redirect).

 

 

I think they are trying to use my server as a Proxy - but they are getting the response 302 from Apache.

 

 

Is there a way to create an iRule to prevent these from even hitting the webservers and DROP or REJECT directly from the iRule?

 

 

Maybe take the domain and put it into the iRule and if it is present, then DROP or REJECT?

 

 

I would like to just block the IP, but as you can see from this URL: http://www.projecthoneypot.org/ip_142.4.117.129 - there

 

are hundreds of IP's that are in the 142.X.XXX.XXX network, that is why if the iRule could look at the GET request domain - maybe

 

this would just deny the requests and take care of the hundreds of IP's that are trying this redirect exploit....

 

 

Thanks.

 

Is mmadsgadget.com your domain, or did a 3rd party configure their A-record with your IP-address? If the latter is the case, couldn't you simply create a whitelist for the hosts that are allowed?

 

Also, it sounds like there will be a constant feed of new IP-addresses you want to add to the blacklist. If that's the case you may want to tap into a service that provides updates with known bad IP-addresses. Quite possibly this is something the ASM-module can handle.

 

Lastly, keep in mind that every time you save a class (Data Group) it becomes temporarily unavailable. Unfortunately, I (and others) haven't gotten much traction with F5 on this issue.

 

 

no this domain (mmadsgadget.com) is not my domain at all...I checked thier A record and their IP is not pointing to mine at all....

 

Do you know of a way to block these GET requests?