Mirai-Strikeback - iRule to kill Mirai IoT bot processes from your F5

Problem this snippet solves:

In September and October of 2016, a new botnet appeared comprised of DVRs, closed-circuit TVs and other devices using the BusyBox embedded OS. The bot code, however, contains a flaw that can result in a bot segfault when a specially-crafted Location header is sent back to it.

How to use this snippet:

At the time of this writing, no known fingerprints for the Mirai botnet exist. However, Mirai only attacks a single URI at a time, so the iRule watches for this and sends back the specially-crafted location header only if a client requests the same URI ten times in ten seconds. This is a crude detection mechanism and might interfere with legitimate clients (such as an API poll). So use at your discretion.

Code :

when RULE_INIT {
        set static::mseconds 10000
        set static::maxdupreq 10
        set dup_req 0
        set last_req ""
    when HTTP_REQUEST { 
        if { $last_req equals "" } {
            set last_req [HTTP::uri]
            set dup_req 0
        elseif { $last_req == [HTTP::uri] } {
            incr dup_req
            after $static::mseconds { if {$dup_req > 0} {incr dup_req -1} } 
            if { $dup_req > $static::maxdupreq } {
                log "Killing suspected Mirai at [IP::client_addr]"
                TCP::respond "HTTP/1.0\r\n200 OK\r\nLocation: http\r\n\r\n"
        else {
            set dup_req 0
Published Oct 31, 2016
Version 1.0

Was this article helpful?

1 Comment

  • Hi David,


    Is it possible to edit this irule for all url not only a url?i think than this will be work likes web scrabing in asm .