For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Sep 19, 2017

iRule that triggers a capture of the HTTP request before rejecting

I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header. So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block. Is there a way to trigger a method to capture and log the full request when we get a match and send the 410?

Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients

when HTTP_REQUEST {

   if {[HTTP::header "X-Forwarded-For"] ne ""}{

      log local0. "XFF: [HTTP::header "X-Forwarded-For"]"

      foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {

     log local0. "Current XFF element: $xff"

     if {[IP::addr $xff equals 1.2.3.4]}{
            log local0. "Sending 410 for $xff"
            HTTP::respond 410
            break
         }
      }
   }
}
application delivery
asm application security manager
iRules
LTM
security
x-forwarded-for
xff

2 Replies

  • rob_carr's avatar
    rob_carr
    Icon for Cirrocumulus rankCirrocumulus
    Sep 19, 2017

    Why not let the request go through to ASM, block it there where you can log all illegal requests, then intercept the blocking response and re-write it to a 410?

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 19, 2017

    Hi,

    You can log output from command :

    [HTTP::request]

    This command returns the whole request!