An iRule that we decided to go with had a few minor alterations.
We decided not to drop the request just in case this was a valid request (far out possibility I know). Instead we decided to strip the range off and serve the request and alter the logging to add the URL Host Value into the logging request (in case you have to use the same defensive iRule on multiple Virtual Servers on the same BIG-IP, you will know or be able to track down which one got "attacked").
Thank you for the research and iRule dlg and smp. Came in handy
🙂
when HTTP_REQUEST {
if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } {
log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested."
HTTP::header remove Range
return
}
}