Here is another question:
In my Apache logs, I am seeing these:
142.4.117.129 - - [31/Jan/2013:11:12:27 -0500] "GET http://www.mmadsgadget.com/t?id=cbf37bc9-5698-f7c4-0938-5ca431da2d2d&size=300x250 HTTP/1.0" 302 219 "http://www.homesearchcar.com/?p=1252" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"
The initial GET should be originating from my server like: GET "/dr1/home/index.html" 200 864 "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"
The initial GET is an EXTERNAL domain...which is BAD. But all responses from Apache are 302 (Redirect).
I think they are trying to use my server as a Proxy - but they are getting the response 302 from Apache.
Is there a way to create an iRule to prevent these from even hitting the webservers and DROP or REJECT directly from the iRule?
Maybe take the domain and put it into the iRule and if it is present, then DROP or REJECT?
I would like to just block the IP, but as you can see from this URL: http://www.projecthoneypot.org/ip_142.4.117.129 - there
are hundreds of IP's that are in the 142.X.XXX.XXX network, that is why if the iRule could look at the GET request domain - maybe
this would just deny the requests and take care of the hundreds of IP's that are trying this redirect exploit....
Thanks.