Forum Discussion

ChadBigIP_14663's avatar
ChadBigIP_14663
Icon for Nimbostratus rankNimbostratus
Feb 01, 2013

"GET http://www.mmadsgadget.com/ - 302 Redirects in Apache Logs

Take a look at the below APACHE LOG:

 

142.4.127.130 - - [01/Feb/2013:02:22:31 -0500] "GET http://www.mmadsgadget.com/t?id=58f19df1-19aa-85e4-89f0-41dc9ffe2e4d&size=300x250 HTTP/1.0" 302 219 "http://www.adeentertainment.com/?p=143" "Mozilla/4.7 [en] (Win98; I)"

 

 

I get thousands and thousands of these every day.

 

Look at the initial GET

 

I tried this iRule to stop these requests and put mmadsgadget.com & adeentertainment.com

 

in the bad-domains DataGroup and it did nothing......

 

 

when HTTP_REQUEST {

 

if { [class match [HTTP::host] equals bad-domains] } {

 

reject

 

}

 

}

 

 

Since http://mmadsgadget.com is in the GET already, I think it is being overlooked by the iRule.

 

 

The initial GET should be from content on my web server.

 

 

These Apache Logs are all 302 Redirects.

 

 

I do not have an Open Proxy on Apache, I do not even have mod_proxy.so installed or in my httpd.conf

 

 

Any help with writing an iRule to DROP or REJECT these would be most helpful.

 

 

Thanks!

 

 

-Chad

 

 

application delivery
dev
devops
iRules

16 Replies

Sort By
Show More
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 04, 2013
    OK, thanks. So we need more that just the Apache logs to understand this better. Can you do a tcpdump on the actual BIG-IP, I suspect that will be rather more informative. Alternatively, you could add some logging of the HTTP::host in the iRule to understand better what the F5 is 'seeing'.
  • ChadBigIP_14663's avatar
    ChadBigIP_14663
    Icon for Nimbostratus rankNimbostratus
    Feb 05, 2013
    OK.

     

     

    When I enter in the iRules from the GUI they are accepted.

     

     

    But if I enter the iRules from the F5 iRule Editor I get the following error:

     

     

    Exception caught in LocalLB::urn:iControl:LocalLB/VirtualServer::add_rule()

     

    Exception: Common::OperationFailed

     

    primary_error_code : 17237537 (0x01070621)

     

    secondary_error_code: 0

     

    error_string : 01070621:3 Rule priorites for virtual server (vx_MainVIP) must be unique.

     

     

    Here is the simple iRule to block IP's from a DataGroup:

     

     

    when CLIENT_ACCEPTED priority 10 {

     

    if { [class match [IP::client_addr] equals blockredirects] } {

     

    reject

     

    }

     

    }
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 05, 2013
    Are there other iRules assigned to the VS that also use the CLIENT_ACCEPTED event with priority 10?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 05, 2013
    It looks like the malicious clients are using an absolute URL in the URI so that's why validating [HTTP::host] isn't working to block the requests. Here's something you can try where you first look for an absolute URL in the URI and then check the Host header value. 

    
when HTTP_REQUEST {

log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]"

 Check if the URI is absolute and http:// or https://
switch -glob [string tolower [HTTP::uri]] {
"http://" -
"https://" {

 Parse the host value from the URI
set host [string tolower [URI::host [HTTP::uri]]]
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]"
}
default {
set host [string tolower [HTTP::host]]
}
}

 Check if host header has a port
if {$host contains ":"}{
set host [getfield $host ":" 1]
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port"
}

 Check for invalid host values
if {[class match $host equals bad_hosts_dg]}{

 Send a block response
HTTP::respond 403 content {blocked!}

 Or drop the connection
drop
}
}

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 05, 2013
    As for the error when using the iRule Editor to add the iRule:

     

     

    When you use the iRule editor, it's easier to remove any existing iRules from the VS before trying to add a new iRule. If you need to use multiple iRules to the same virtual server, you can use the GUI.

     

     

    Theoretically, you should be able to specify different iRule or event priorities and use the iRule Editor to manage multiple iRules on the same virtual server. But in practice, this generally doesn't work.

     

     

    Aaron