For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

George_Daly_322's avatar
George_Daly_322
Icon for Nimbostratus rankNimbostratus
Jun 18, 2008

Drop HTTP GET request based on host

I'm trying to do a simple iRule where if the HTTP request contains a particular address the connection is dropped. This is to prevent a shared webserver from being DDOS'd due to HTTP GETs to a partic...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 18, 2008
If you use reject, instead of TCP::release, the TCP connection will be reset. 

 
 when HTTP_REQUEST {  
    if { [string tolower [HTTP::host]] contains "domain.com" }{  
        Reset the TCP connection 
       reject 
  
        End processing this rule event 
       return  
    }  
 }

It might be more secure to positively define which host header values you do want to allow and send a reset for all others. You could do this for a single host as you've done above, or create a list of the allowed host header values in a datagroup (called a class in the bigip.conf).

Single allowed hostname: 

 
 when HTTP_REQUEST {  
    if { not ([string tolower [HTTP::host]] contains "allowed.domain.com")}{  
        Reset the TCP connection 
       reject 
  
        End processing this rule event 
       return  
    }  
 }

Multiple allowed hostnames defined in a datagroup called allowed_hostnames: 

 
 when HTTP_REQUEST {  
    if { not ([matchclass [string tolower [HTTP::host]] contains $::allowed_hostnames])}{  
        Reset the TCP connection 
       reject 
  
        End processing this rule event 
       return  
    }  
 }

Aaron