cancel
Showing results for 
Search instead for 
Did you mean: 
David_Holmes_12
Historic F5 Account

Problem this snippet solves:

In September and October of 2016, a new botnet appeared comprised of DVRs, closed-circuit TVs and other devices using the BusyBox embedded OS. The bot code, however, contains a flaw that can result in a bot segfault when a specially-crafted Location header is sent back to it.

How to use this snippet:

At the time of this writing, no known fingerprints for the Mirai botnet exist. However, Mirai only attacks a single URI at a time, so the iRule watches for this and sends back the specially-crafted location header only if a client requests the same URI ten times in ten seconds. This is a crude detection mechanism and might interfere with legitimate clients (such as an API poll). So use at your discretion.

Code :

when RULE_INIT {
        set static::mseconds 10000
        set static::maxdupreq 10
    }
    when CLIENT_ACCEPTED {
        set dup_req 0
        set last_req ""
    }
    when HTTP_REQUEST { 
        if { $last_req equals "" } {
            set last_req [HTTP::uri]
            set dup_req 0
        }
        elseif { $last_req == [HTTP::uri] } {
            incr dup_req
            after $static::mseconds { if {$dup_req > 0} {incr dup_req -1} } 
            if { $dup_req > $static::maxdupreq } {
                log "Killing suspected Mirai at [IP::client_addr]"
                TCP::respond "HTTP/1.0\r\n200 OK\r\nLocation: http\r\n\r\n"
                TCP::close
            }
        }
        else {
            set dup_req 0
        }
    }
Comments

Hi David,

 

Is it possible to edit this irule for all url not only a url?i think than this will be work likes web scrabing in asm .

 

Thanks,

 

Version history
Last update:
‎31-Oct-2016 11:32
Updated by:
Contributors