David Holmes from F5 is back with one bad-ass iRule to combat Mirai. After reviewing the source code for Mirai and a post by Scott Tenaglia David put together an iRule to cause Mirai to do a bad memory move and crash. Check out his post here:
Lastly, the iRule in question:
when RULE_INIT {
set static::mseconds 10000
set static::maxdupreq 10
}
when CLIENT_ACCEPTED {
set dup_req 0
set last_req ""
}
when HTTP_REQUEST {
if { $last_req equals "" } {
set last_req [HTTP::uri]
set dup_req 0
}
elseif { $last_req == [HTTP::uri] } {
incr dup_req
after $static::mseconds { if {$dup_req > 0} {incr dup_req -1} }
if { $dup_req > $static::maxdupreq } {
log "Killing suspected Mirai at [IP::client_addr]"
TCP::respond "HTTP/1.0\r\n200 OK\r\nLocation: http\r\n\r\n"
TCP::close
}
}
else {
set dup_req 0
}
}Best Regards,
BD