Create Datagroup/iRule to use with Brute Force IP List

Hi Chad,

 

 

If you want to do this once, you could convert the input data into the data group format for your LTM version and then merge it into the configuration.

 

 

Data group formats:

 

https://devcentral.f5.com/tech-tips/articles/v11-irules-data-group-updates

 

 

Merge info: https://devcentral.f5.com/wiki/tmsh.BigpipeMappings.ashx

 

tmsh load /sys config file /path/to/file.txt merge

 

 

If you want to update the data group on a regular basis, you could write an iControl script off of LTM or a tmsh script on LTM which downloads the blacklist, converts it to an external file and then imports it into the config. Here's a post on one portion of this:

 

 

https://devcentral.f5.com/community/group/asg/53/aft/2159165/showtab/groupforums2235504

 

 

Aaron

 

 

Aaron

 

 

Aaron

The actual iRule would look like this and would need to be applied to a wildcard Virtual Server;

Create a Data Group (called source-ips below) with just IP the addresses 
of the hosts you’d like to reject

when CLIENT_ACCEPTED {
 if { [class match [IP::addr [IP::client_addr] equals source-ips] } {
   Use drop to silently drop rather than reject which sends a RST
   reject }
}

class match performs a bitwise comparison of the IP address already, so you can remove that part:

when CLIENT_ACCEPTED {
 if { [class match [IP::client_addr] equals source-ips] } {
   Use drop to silently drop rather than reject which sends a RST
   reject }
}

Aaron

Thanks.

I am on version 10.2.0

 

 

When I use the F5 iRule Editor, I go into Tools, and bring up the Data Group Editor.

 

 

There are optons for Address, Integer and String.

 

 

I press Add under Address

 

 

Name: source-ips

 

 

Address: 115.236.99.195

 

 

I do not have to put anything after the / where the other input field is, right?

 

 

Then after I add in some IP's. I press create.

 

 

Where do I put in DROP?

 

 

when CLIENT_ACCEPTED {

 

if { [class match [IP::client_addr] equals source-ips] } {

 

Use drop to silently drop rather than reject which sends a RST

 

reject }

 

}

 

 

Then I can use the iRule Editor and put this rule into each Virtual Server that I choose then, and use the >> arrows to move it

 

to Using this Rule then press OK.

 

 

Right?

 

 

Thanks!

 

 

-Chad

 

Hi Chad,

 

I believe Hoolio means the following

 

 

If you want to drop without sending a RST

 

when CLIENT_ACCEPTED {

 

if { [class match [IP::client_addr] equals source-ips] } {

 

drop

 

}

 

}

 

 

or

 

 

If you want to sent a RST

 

when CLIENT_ACCEPTED {

 

if { [class match [IP::client_addr] equals source-ips] } {

 

reject

 

}

 

}

 

 

I hope this helps

 

=Bhattman=

Thanks. That worked perfectly!

 

Is it better to have REJECT or DROP?

 

 

Which is the best way to handle this when you are out right blocking IP addresses, or if you are using

 

the Quova Database to block a particular country outright? REJECT or DROP?

 

 

Thanks.

 

This calls for the classic 'it depends' answer! Reject and you're telling the source you are rejecting them but you're saving some minimal resources as hopefully the client won't keep trying. With drop, the source doesn't know immediately that you are rejecting their traffic but you'll no doubt see more retries, however, I'm sure they will work it out in short order.

Here is another question:

 

 

In my Apache logs, I am seeing these:

 

 

142.4.117.129 - - [31/Jan/2013:11:12:27 -0500] "GET http://www.mmadsgadget.com/t?id=cbf37bc9-5698-f7c4-0938-5ca431da2d2d&size=300x250 HTTP/1.0" 302 219 "http://www.homesearchcar.com/?p=1252" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"

 

 

The initial GET should be originating from my server like: GET "/dr1/home/index.html" 200 864 "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"

 

 

The initial GET is an EXTERNAL domain...which is BAD. But all responses from Apache are 302 (Redirect).

 

 

I think they are trying to use my server as a Proxy - but they are getting the response 302 from Apache.

 

 

Is there a way to create an iRule to prevent these from even hitting the webservers and DROP or REJECT directly from the iRule?

 

 

Maybe take the domain and put it into the iRule and if it is present, then DROP or REJECT?

 

 

I would like to just block the IP, but as you can see from this URL: http://www.projecthoneypot.org/ip_142.4.117.129 - there

 

are hundreds of IP's that are in the 142.X.XXX.XXX network, that is why if the iRule could look at the GET request domain - maybe

 

this would just deny the requests and take care of the hundreds of IP's that are trying this redirect exploit....

 

 

Thanks.