Forum Discussion
Nimbostratus"GET http://www.mmadsgadget.com/ - 302 Redirects in Apache Logs
Take a look at the below APACHE LOG:
142.4.127.130 - - [01/Feb/2013:02:22:31 -0500] "GET http://www.mmadsgadget.com/t?id=58f19df1-19aa-85e4-89f0-41dc9ffe2e4d&size=300x250 HTTP/1.0" 302 219 "http://www.adeentertainment.com/?p=143" "Mozilla/4.7 [en] (Win98; I)"
I get thousands and thousands of these every day.
Look at the initial GET
I tried this iRule to stop these requests and put mmadsgadget.com & adeentertainment.com
in the bad-domains DataGroup and it did nothing......
when HTTP_REQUEST {
if { [class match [HTTP::host] equals bad-domains] } {
reject
}
}
Since http://mmadsgadget.com is in the GET already, I think it is being overlooked by the iRule.
The initial GET should be from content on my web server.
These Apache Logs are all 302 Redirects.
I do not have an Open Proxy on Apache, I do not even have mod_proxy.so installed or in my httpd.conf
Any help with writing an iRule to DROP or REJECT these would be most helpful.
Thanks!
-Chad
16 Replies
What_Lies_Bene1Cirrostratus
OK, thanks. So we need more that just the Apache logs to understand this better. Can you do a tcpdump on the actual BIG-IP, I suspect that will be rather more informative. Alternatively, you could add some logging of the HTTP::host in the iRule to understand better what the F5 is 'seeing'.
ChadBigIP_14663OK.
When I enter in the iRules from the GUI they are accepted.
But if I enter the iRules from the F5 iRule Editor I get the following error:
Exception caught in LocalLB::urn:iControl:LocalLB/VirtualServer::add_rule()
Exception: Common::OperationFailed
primary_error_code : 17237537 (0x01070621)
secondary_error_code: 0
error_string : 01070621:3 Rule priorites for virtual server (vx_MainVIP) must be unique.
Here is the simple iRule to block IP's from a DataGroup:
when CLIENT_ACCEPTED priority 10 {
if { [class match [IP::client_addr] equals blockredirects] } {
reject
}
}- What_Lies_Bene1Are there other iRules assigned to the VS that also use the CLIENT_ACCEPTED event with priority 10?
hoolioIt looks like the malicious clients are using an absolute URL in the URI so that's why validating [HTTP::host] isn't working to block the requests. Here's something you can try where you first look for an absolute URL in the URI and then check the Host header value.when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]" Check if the URI is absolute and http:// or https:// switch -glob [string tolower [HTTP::uri]] { "http://" - "https://" { Parse the host value from the URI set host [string tolower [URI::host [HTTP::uri]]] log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]" } default { set host [string tolower [HTTP::host]] } } Check if host header has a port if {$host contains ":"}{ set host [getfield $host ":" 1] log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port" } Check for invalid host values if {[class match $host equals bad_hosts_dg]}{ Send a block response HTTP::respond 403 content {blocked!} Or drop the connection drop } }
Aaron- hoolioAs for the error when using the iRule Editor to add the iRule:
When you use the iRule editor, it's easier to remove any existing iRules from the VS before trying to add a new iRule. If you need to use multiple iRules to the same virtual server, you can use the GUI.
Theoretically, you should be able to specify different iRule or event priorities and use the iRule Editor to manage multiple iRules on the same virtual server. But in practice, this generally doesn't work.
Aaron - What_Lies_Bene1Chad. Did you resolve your issue?
