For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ChadBigIP_14663's avatar
ChadBigIP_14663
Icon for Nimbostratus rankNimbostratus
Feb 01, 2013

"GET http://www.mmadsgadget.com/ - 302 Redirects in Apache Logs

Take a look at the below APACHE LOG:   142.4.127.130 - - [01/Feb/2013:02:22:31 -0500] "GET http://www.mmadsgadget.com/t?id=58f19df1-19aa-85e4-89f0-41dc9ffe2e4d&size=300x250 HTTP/1.0" 302 219 "http...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 05, 2013
It looks like the malicious clients are using an absolute URL in the URI so that's why validating [HTTP::host] isn't working to block the requests. Here's something you can try where you first look for an absolute URL in the URI and then check the Host header value. 


when HTTP_REQUEST {

log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]"

 Check if the URI is absolute and http:// or https://
switch -glob [string tolower [HTTP::uri]] {
"http://" -
"https://" {

 Parse the host value from the URI
set host [string tolower [URI::host [HTTP::uri]]]
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]"
}
default {
set host [string tolower [HTTP::host]]
}
}

 Check if host header has a port
if {$host contains ":"}{
set host [getfield $host ":" 1]
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port"
}

 Check for invalid host values
if {[class match $host equals bad_hosts_dg]}{

 Send a block response
HTTP::respond 403 content {blocked!}

 Or drop the connection
drop
}
}

Aaron