Forum Discussion

Patti_G_72768's avatar
Patti_G_72768
Icon for Nimbostratus rankNimbostratus
Oct 31, 2013

Need help with iRule to detect LOIC/HOIC client

Hi all, the latest rule I'm working on is supposed to detect a LOIC/HOIC client. The rule is supposed to look for the following in the uri query string (not case sensitive): 1) "msg" 2) "id" 3) random 6 character value

 

Here is what I have so far:

 

when HTTP_REQUEST {

 

if {([string tolower [HTTP::uri]] contains "id") and ([string tolower [HTTP::uri]] contains "msg") and ([string tolower [HTTP::uri]] matches_regex{[a-zA-Z0-9$-_.+!*'(),~:/?[]@&;=]})}

 

{

 

log local0. "Detected LOIC/HOIC client request based on query string."

 

reject

 

}

 

}

 

Would someone be able to take a look at the iRule and let me know what I need to change or what I have wrong please? I'm also having a problem with setting it to a 6 character value.

 

Thanks!

 

application delivery
devops
iRules

2 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 31, 2013

    I'd reduce it to this;

    when HTTP_REQUEST {
 set requri [string tolower [HTTP::query]]
 if { ($requri contains "id") && ($requri contains "msg") } {
  log local0. "Detected LOIC/HOIC client request based on query string."
  reject
 }
}

    I'm not quite sure about the regex, is there any value in searching for a random six character value? Wouldn't any part of a valid query match? If so, where is it in the query string?

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 31, 2013

    You also mentioned in another post that you were cutting over to ASM and writing these iRules to emulate signatures in your current product. I would venture two things then:

     

    1. While it may not be called "LOIC" in the ASM signature database, I'm certain that the effects of this exploit are detected.

       

    2. It might make more sense to create custom ASM signatures instead of individual iRules.

       

      http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-3-0/asm_apx_attack_sig_syntax.html?sr=26601489