"GET http://www.mmadsgadget.com/ - 302 Redirects in Apache Logs

Please change 'bad-domains' to bad_domains and rename/recreate the DG; hyphens should not be used in DG names.

 

 

You also need to include the 'www.' in the DG.

 

 

If that still doesn't solve the issue, let us know.

I have also tried this iRule without using a DG.

 

and it still does not block the domains:

 

 

when HTTP_REQUEST {

 

if {[HTTP::host] equals "homesearchcar.com"}{

 

if {[HTTP::host] equals "globe7.com" }{

 

if {[HTTP::host] equals "www.globe7.com" }{

 

if {[HTTP::host] equals "mmadsgadget.com" }{

 

if {[HTTP::host] equals "www.mmadsgadget.com" }{

 

if {[HTTP::host] equals "www.adserverplus.com" }{

 

if {[HTTP::host] equals "adserverplus.com" }{

 

if {[HTTP::host] equals "xchecker.net" }{

 

if {[HTTP::host] equals "www.xchecker.net" }{

 

if {[HTTP::host] equals "ad.adorika.com" }{

 

if {[HTTP::host] equals "www.adorika.com" }{

 

if {[HTTP::host] equals "adorika.com" }{

 

reject

 

}

 

}

 

}

 

}

 

}

 

}

 

}

 

}}}}}}

 

I'm a little unclear on what you are trying to do. How is it that all those domains are routing to your servers? Are you saying that someone has updated DNS entries for other domains to point to your VIP? From the look of the iRule, you want to blacklist certain host headers coming in. The datagroup approach should work for you, not sure why it isn't. I can say why the if approach isn't working. You are nesting all the if's inside eachother so that will equate to a big ANDed list. - if ( (host equals "one") AND (host equals "two") AND (host equals "three") ...). That will never succeed because it can't be both. You'll either have to include logical ORs between the comparisons, use a switch statement, or move to a whitelist approach where you list only the hosts you do want in. That way you aren't chasing new values down the road.

 

Here's a couple of ideas

 

if { ([HTTP::host] equals "homesearchcar.com") || ([HTTP::host] equals "globe7.com") || ....} {

 

reject

 

}

 

The switch would look like this

 

switch -glob [HTTP::host] {

 

"homesearchcar.com" -

 

"globe7.com" -

 

"www.globe7.com" -

 

"*mmadsgadget.com" {

 

reject

 

}

 

}

 

Or you could do a whitelist where you only allow in good host

 

switch -glob [HTTP::host] {

 

"goodhost1.com" -

 

"goodhsot2.com" -

 

"goodhost3.com" {

 

allow through

 

}

 

default {

 

reject

 

}

 

}

 

Hope this helps...

 

Yes, the initial GET is coming from an external domain. It should be pulling up from my local filesystem for content:

 

 

Here is a snippet from my Apache Logs:

 

 

142.4.127.130 - - [01/Feb/2013:02:22:31 -0500] "GET http://www.mmadsgadget.com/t?id=58f19df1-19aa-85e4-89f0-41dc9ffe2e4d&size=300x250 HTTP/1.0" 302 219 "http://www.adeentertainment.com/?p=143" "Mozilla/4.7 [en] (Win98; I)"

 

 

I need that initial GET rogue domain (mmadsgadget.com) to be REJECTED.

 

I tried this one:

 

 

I went into the iRule editor and copied this in:

 

 

Begin iRule:

 

------------------------------------------------

 

switch -glob [HTTP::host] {

 

"homesearchcar.com" -

 

"globe7.com" -

 

"www.globe7.com" -

 

"*.xchecker.net" -

 

"*.adserverplus.com" -

 

"ad.adorika.com" -

 

"*.adorika.com" -

 

"www.mmadsgadget.com" -

 

"*mmadsgadget.com" {

 

reject

 

}

 

}

 

-----------------------------------------------

 

END iRULE

 

 

line 1: [command is not valid in the current scope] [switch -glob [HTTP::host] {

 

line 1: [command is not valid in the current scope] [HTTP::host]

 

 

I am running version 10.2.0

 

 

I am getting many many concurrent Apache connections from these requests.

 

You'll need to wrap that with a when HTTP_REQUEST event.

 

when HTTP_REQUEST {

 

switch -glob [HTTP::host] {

 

...

 

}

 

}

 

when HTTP_REQUEST {

 

switch -glob [HTTP::host] {

 

"homesearchcar.com" -

 

"*globe7.com" -

 

"www.globe7.com" -

 

"*.xchecker.net" -

 

"*.adserverplus.com" -

 

"ad.adorika.com" -

 

"*.adorika.com" -

 

"www.mmadsgadget.com" -

 

"*mmadsgadget.com" {

 

reject

 

}

 

}

 

}

 

 

 

I put that exact iRule in, and yet in my Apache logs I still see:

 

 

142.4.127.133 - - [02/Feb/2013:10:52:32 -0500] "GET http://www.mmadsgadget.com/t?id=58f19df1-19aa-85e4-89f0-41dc9ffe2e4d&size=300x250 HTTP/1.0" 302 219 "http://www.adeentertainment.com/?tag=celebrity-summer" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; Hotbar 2.0)"

 

 

142.4.117.74 - - [02/Feb/2013:10:52:53 -0500] "GET http://www.mmadsgadget.com/t?id=cbf37bc9-5698-f7c4-0938-5ca431da2d2d&size=300x250 HTTP/1.0" 302 219 "http://www.homesearchcar.com/?p=573" "Mozilla/4.61 (Macintosh; I; PPC)"

 

 

142.4.127.53 - - [02/Feb/2013:10:53:09 -0500] "GET http://ad.globe7.com/st?ad_type=iframe&ad_size=300x250&section=3925068&pub_url=${PUB_URL} HTTP/1.0" 302 219 "http://www.financemessage.com/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Alexa Toolbar)"

 

 

142.4.127.133 - - [02/Feb/2013:10:53:12 -0500] "GET http://www.mmadsgadget.com/t?id=58f19df1-19aa-85e4-89f0-41dc9ffe2e4d&size=300x250 HTTP/1.0" 302 219 "http://www.adeentertainment.com/?tag=naughty-but-nice-with-rob-shuter" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95; Alexa Toolbar)"

 

 

192.74.234.53 - - [02/Feb/2013:10:54:23 -0500] "GET http://ad.globe7.com/st?ad_type=iframe&ad_size=300x250&section=3596356&pub_url=${PUB_URL} HTTP/1.0" 302 219 "http://www.today-entertainment.com/?p=17" "Mozilla/4.76 (Macintosh; U; PPC)"

 

 

142.4.117.73 - - [02/Feb/2013:10:55:25 -0500] "GET http://www.mmadsgadget.com/t?id=f6c8695c-9d1c-51e4-fd33-881ee3a7ee58&size=160x600 HTTP/1.0" 302 219 "http://www.homesearchcar.com/?cat=1864" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"

 

 

192.74.234.155 - - [02/Feb/2013:10:55:50 -0500] "GET http://ad.adorika.com/st?ad_type=ad&ad_size=300x250&section=3551001&pub_url=${PUB_URL} HTTP/1.0" 302 219 "http://www.movegameface.com/index.php?option=com_yoflash&view=game&id=highway-traffic&Itemid=55" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"

 

 

No matter what I do, even if I use this iRule:

 

 

when CLIENT_ACCEPTED priority 10 {

 

if { [class match [IP::client_addr] equals blockredirects] } {

 

reject

 

}

 

}

 

 

and blockredirects Datagroup has many /27 and /19 networks in them:

 

 

142.4.96.0/255.255.224.0

 

142.4.117.73

 

142.4.117.75

 

142.4.127.133

 

142.4.127.131

 

142.4.127.53

 

etc. etc...

 

 

They still keep coming through on my Apache Server logs......

 

 

Is there any way to stop these from showing in Apache. It seems that my LTM-3400 running 10.2.0 is just ignoring all iRules for these

 

domains....and IP Addresses.....

 

 

Is there anything I need to add to the HTTP profile: http ?

 

 

Is there a better iRule to use for these GET requests?

 

I just found this URL that explains exactly what is happening to me webserver:

 

 

http://serverfault.com/questions/414001/robot-hammering-apache2

 

 

Does anyone know of an iRule to mitigate these robots?

 

OK, forgive me but are you actually apply these iRules to the Virtual Server?

 

 

Can you add some log statements to the iRules to confirm they are being executed, something like this in an appropriate place: log local0. "iRule executing"

 

 

I think the focus on the Apache logs is leading us astray or something is being spoofed in the requests. Can you do a tcpdump on the actual BIG-IP, I suspect that will be rather more informative.

They are being applied.

 

 

I have blocked my personal IP and it works 100% everytime.

 

 

I go in and apply this iRule and nothing happens.

 

 

These requests just keep coming through.

 

 

Have you ever seen anything like this, and if so what is the best way to mitigate it.

 

 

This URL below exactly describes what is happening to me:

 

 

http://serverfault.com/questions/414001/robot-hammering-apache2