Forum Discussion

Nimbostratus

Oct 29, 2013

Need to convert a Pandora rule to an iRule

Hi again, I need to convert a rule that is looking to block Pandora/Dirt Jumper attack in ASM. The rule is looking to block the Pandora GET flood attack. So it is looking for the GET method, HTTP/1.0...

Employee

Oct 29, 2013

Is this in lieu of ASM?

when HTTP_REQUEST {
    if { ( [HTTP::method] equals "GET" ) and ( [HTTP::version] equals "1.0" ) and not ( [HTTP::header exists Accept] ) and ( [HTTP::header User-Agent] contains "Mozilla" ) and ( [HTTP::header exists Referer] ) } {
        log local0. "Possible Pandora/Dirt Jumper type 0 1 2 attack."
        reject
    }
}

The following also suggests a randomized Referer header:

http://www.prolexic.com/kcresources/prolexic-threat-advisories/Prolexic-Threat-Advisory-PANDORA_08.08.12/threat-advisory-pandora_i.html

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)