Forum Discussion

Patti_G_72768's avatar
Patti_G_72768
Icon for Nimbostratus rankNimbostratus
Oct 28, 2013

iRule help needed - Need to meet three conditions

Hi all, I need to write an iRule that will will do the following:   Detect if the Accept header is missing.   The Connection for keep-alive is set to close.   That there is a valid ke...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 28, 2013

Patti, can I assume this is related to post: https://devcentral.f5.com/questions/irule-syntax-need-help-with-conditional-statementanswer82657?

I wasn't sure where to go with that one based on the stated requirements, but it sounds like you've been able to define what the HULK HTTP DoS filters are doing.

In any case, here's what that iRule might look like:

when HTTP_REQUEST {
    if { not ( [HTTP::header exists Accept] ) and ( [string tolower [HTTP::header Connection]] equals "close" ) and ( [scan [HTTP::header Keep-Alive] %d data] > 0 ) } {
        log local0. "Invalid attempt"
        reject
    }
}

Might I also add that, based on what I've seen from the following:

http://blog.spiderlabs.com/2012/05/hulk-vs-thor-application-dos-smackdown.html

You can also detect Hulk based on the ordering of the HTTP headers:

Accept-Encoding
Host
Keep-Alive
User-Agent
Accept-Charset
Connection
Referer
Cache-Control

So then the following might actually prove a more comprehensive filter:

when HTTP_REQUEST {
    set header_list [list "Accept-Encoding" "Host" "Keep-Alive" "User-Agent" "Accept-Charset" "Connection" "Referer" "Cache-Control"]

    set match 1
    for { set i 0 } { $i < [llength $header_list] } { incr i } {
        if { not ( [lindex $header_list $i] equals [lindex [HTTP::header names] $i] ) } {
            set match 0
        }
    }

    if { $match == 1 } {
        log local0. "match"
    }   
}