Forum Discussion
madi_56757
Aug 25, 2011Nimbostratus
Apache Killer
hello all,
I need help for following rule
We need an irule to avoid an exploit on Apache
Apache syntax
RewriteEngine On
RewriteCond %{REQUEST_METHOD}...
Michael_Yates
Sep 01, 2011Nimbostratus
An iRule that we decided to go with had a few minor alterations.
We decided not to drop the request just in case this was a valid request (far out possibility I know). Instead we decided to strip the range off and serve the request and alter the logging to add the URL Host Value into the logging request (in case you have to use the same defensive iRule on multiple Virtual Servers on the same BIG-IP, you will know or be able to track down which one got "attacked").
Thank you for the research and iRule dlg and smp. Came in handy 🙂
when HTTP_REQUEST {
if { [HTTP::header exists "Range"] and ([HTTP::header "Range"] matches_regex {(,.*?){40,}}) } {
log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested."
HTTP::header remove Range
return
}
}
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects