Hi f5rocks,
this is an awesome question and outlines a huge discrepancy between the HTTP/1.1 specification (see RFC7230 Section 5.4. last paragraph) vs. how Software Vendors are implementing their web servers.
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
https://tools.ietf.org/html/rfc7230page-44
Host of Troubles: Multiple Host Ambiguities in HTTPImplementations
https://www.icir.org/vern/papers/host-of-troubles.ccs16.pdf
To counter attacks using multiple HTTP-Headers (accoring to RFC7230) you may take a look to the iRule below.
Black-Listing request with multiple HOST-Headers
when HTTP_REQUEST {
if { [llength [HTTP::header values "Host"]] > 1 } then {
HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
} else {
Allow the request...
}
}
And to counter all remaining issues related to HOST-Headers use a white-listing of the combined HTTP-Host header values.
White-Listing based on combined HTTP-Host header values
when HTTP_REQUEST {
if { [string tolower [HTTP::header values "Host"]] eq "www.domain.de" } then {
Allow the request...
} else {
HTTP::respond 400 content "Bad Request" "Content-Type" "text/html"
}
}
Cheers, Kai