For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vince_Beltz_959's avatar
Vince_Beltz_959
Icon for Nimbostratus rankNimbostratus
Oct 22, 2009

Drop Doesn't

I've implemented the following iRule to filter out certain user agents from connecting to our servers. Testing with Firefox and the Modify Headers add-on, it seems to work - I get a disconnected messa...
application delivery
dev
devops
iRules
Vince_Beltz_959's avatar
Vince_Beltz_959
Icon for Nimbostratus rankNimbostratus
Oct 22, 2009
Tried changing the drop to TCP::close, and asked the server guys what they saw - here's the response they sent back (with URLs and IPs redacted). Is it just not possible to keep *any* connection request from making it across to the inside servers?

 

---

 

I set the user agent to “torrent” in Modify headers tool and accessed http://x.tld as as a test url.

 

Below are the request and response as seen in wireshark.

 

Request to VIP:

 

GET /as HTTP/1.1

 

Host: x.x.x.x

 

User-Agent: torrent

 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 

Accept-Language: en-us,en;q=0.5

 

Accept-Encoding: gzip,deflate

 

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 

Keep-Alive: 300

 

Connection: keep-alive

 

Response from VIP

 

HTTP/1.0 302 Found

 

Location: http://x.tld

 

Server: BigIP

 

Connection: Keep-Alive

 

Content-Length: 0

 

So even if the TCP connection is closed and there is no body, the header “Location” and status code 302 makes the browser do a request to

 

http://x.tld

 

The redirect statement is still getting executed.