Block Domain redirect

Question

I have an instance where someone has created a derrogatory subdomain in external DNS and is redirecting to one of our production VSs. Is there a way to log/block redirects from a specific subdomain in an iRule.

george_watkins_ · Answer

Hi Valentine,  
 Something like this should do the trick: 
 when HTTP_REQUEST {
  if { [HTTP::host] equals "somebaddomain.com" } {
     send a TCP reset
    reject

alternatively, redirect somewhere else
     HTTP::redirect "http://www.somedomainyoufindentertaining.com"
  }     
} 
 If there's a whole list of domains you want to apply this functionality to, you can create a datagroup holding the domains and potentially different actions for each of them. 
 -George

george_watkins_ · Answer

Hi Valentine, &nbsp;
&nbsp; With a little further hacking this is what Colin and I came up with. It will allow you to blacklist an entire domain and its subdomains (www.sea.webcluster1.f5.com will always match f5.com). You'll want to create a datagroup containing the list of base domains (f5.com, example.com, etc.). Then add the datagroup name to the top of the iRule in the RULE_INIT section and you should be good to go. Here is the code: &nbsp;
&nbsp; ltm data-group internal /Common/domain_blacklist {   records {    anotherbaddomain.com { }    somebaddomain.com { }  }  type string } ltm rule /Common/http_domain_blacklist {  when RULE_INIT {      set static::domain_blacklist_dg "domain_blacklist"     set static::debug 1   }  when HTTP_REQUEST {      grab the base domain (top level plus subdomain) from HTTP::host     set base_domain [join [lrange [split [HTTP::host] .] end-1 end] .]     if { [class search $static::domain_blacklist_dg equals $base_domain] } {       if { $static::debug &gt; 0 } { log local0. "[IP::remote_addr] attempted to access a blacklisted_domain: $base_domain" }        send a TCP reset       reject    }  } } 
&nbsp; Now if someone resolves somebaddomain.com, www.somebaddomain.com, or www.web1.gtm.somedc.somebaddomain.com and it points at the virtual with this iRule, the browser will receive a TCP reset. &nbsp;
&nbsp; -George&nbsp;

nitass_89166 · Answer

this is another example. 
  
 [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.65.152:http
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        if {[class match -- [string tolower [HTTP::host]] starts_with domain_blacklist]}{
                log local0. "[IP::client_addr]:[TCP::client_port]|[HTTP::host]|[HTTP::uri]"
                reject
        }
}
}
[root@ve1023:Active] config  b class domain_blacklist list
class domain_blacklist {
   {
      "anotherbaddomain"
      "somebaddomain"
   }
}

[root@ve1023:Active] config  curl -I http://somebaddomain.abc.com/
curl: (52) Empty reply from server
[root@ve1023:Active] config  
Nov 15 23:30:47 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41065|somebaddomain.abc.com|/

[root@ve1023:Active] config  curl -I http://anotherbaddomain.abc.com/
curl: (52) Empty reply from server
[root@ve1023:Active] config  
Nov 15 23:30:53 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41067|anotherbaddomain.abc.com|/

nitass · Answer

this is another example. 
  
 [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.65.152:http
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        if {[class match -- [string tolower [HTTP::host]] starts_with domain_blacklist]}{
                log local0. "[IP::client_addr]:[TCP::client_port]|[HTTP::host]|[HTTP::uri]"
                reject
        }
}
}
[root@ve1023:Active] config  b class domain_blacklist list
class domain_blacklist {
   {
      "anotherbaddomain"
      "somebaddomain"
   }
}

[root@ve1023:Active] config  curl -I http://somebaddomain.abc.com/
curl: (52) Empty reply from server
[root@ve1023:Active] config  
Nov 15 23:30:47 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41065|somebaddomain.abc.com|/

[root@ve1023:Active] config  curl -I http://anotherbaddomain.abc.com/
curl: (52) Empty reply from server
[root@ve1023:Active] config  
Nov 15 23:30:53 local/tmm info tmm[4766]: Rule myrule : 172.28.65.150:41067|anotherbaddomain.abc.com|/

hooleylist · Answer

Or create a whitelist of acceptable host header values and block everything else.  You can use negated logic from Nitass and George's examples to do this. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Block Domain redirect

7 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

domain blocking

Enriching AFM with public domain Threat Intelligence

Block traffic

Blocking domains

Anchor Link Redirect