iRules: IP Reputation based on X-Forwarded-For HTTP Header

Recently I had a customer that wanted to use the IP Reputation Database on the F5 WAF however the client IP address was being proxied by an upstream device. Luckily for us, the client IP address was being sent in the X-Forwaded-For HTTP Header and we were able to hone in on that information and apply the IP Reputation logic via iRules.

The example below allows you to extract the client IP address from the X-Forwarded-For HTTP Header, check the IP Reputation Database, and either silently drop the traffic or respond with HTTP content.

when HTTP_REQUEST {
    # LOGGING OFF=0, LOGGING ON=1
    set DEBUG_LEVEL 1
    # SLIENT DROP BAD TRAFFIC=0, FRIENDLY DROP BAD TRAFFIC=1
    set BAD_ACTOR 1
    # Make sure XFF is present and the IP matches IPI
    if { ([HTTP::header exists "X-Forwarded-For"]) and not ( [IP::reputation [HTTP::header values "X-Forwarded-For"]] =="") } {
        set ip_reputation_categories [IP::reputation [HTTP::header values "X-Forwarded-For"]]
        set is_reject 0
        switch -glob $ip_reputation_categories {
            *Spam* { set is_reject 1  }
            *Proxy* { set is_reject 1 }
            *Denial* { set is_reject 1 }
            *Attacks* { set is_reject 1 }
            *Botnets* { set is_reject 1 }
            *Scanners* { set is_reject 1 }
            *Exploits* { set is_reject 1 }

        }
        if { ($is_reject)} {
            if { $BAD_ACTOR == "1"}{
                if { $DEBUG_LEVEL == 1} { log local0. "XFF:[HTTP::header values "X-Forwarded-For"] matched IPI Category:$ip_reputation_categories and was rejected with a page."}
                HTTP::respond 403 content "
                <HTML>
                <HEAD>
                <TITLE>Rejected Request</TITLE>
                </HEAD>
                <BODY>The request was rejected. <BR>Attempted access from malicious IP address</BODY>
                </HTML>"
                return
            }
            if { $BAD_ACTOR == "0"} {
                if { $DEBUG_LEVEL == 1} { log local0. "XFF:[HTTP::header values "X-Forwarded-For"] matched IPI Category:$ip_reputation_categories and was sliently dropped."}
                drop
                return
                }
            }
        }
        if { [HTTP::header exists "X-Forwarded-For"] } {
            if { $DEBUG_LEVEL == 1} {log local0. "XFF:[HTTP::header values "X-Forwarded-For"] and did not match any categories"}
            return
        }
    if { $DEBUG_LEVEL == 1} {log local0. "No XFF Sent and nothing was dropped"} 
}

You may also download a txt version of the iRule here.

Note: You can replace X-Forwarded-For to any HTTP Header that contains the client IP address, e.g, true-client-ip.

Regards,

BD

iRules: Dynamic load balancing via URI

The purpose of this iRule is to create a method of load balancing via the URI that is fully dynamic and never requires updating. Example: The URL https://briandeitch.com/gateway/ should be load balanced to the pool pool_gateway The URL https://briandeitch.com/pictures/ should be load balanced to the pool pool_pictures Here is the old iRule:

when HTTP_REQUEST {
      switch -glob [string tolower [HTTP::path]]
          */gateway/ { pool pool_gateway }
          */pictures/ { pool pool_gateway }
     }
}

In the past, every time I had a new URL, I would have to modify the iRule and create the new pool. If I need to add https://briandeitch.com/family/, I would have to modify the iRule:

when HTTP_REQUEST {
      switch -glob [string tolower [HTTP::path]]
          */gateway/* { pool pool_gateway }
          */pictures/* { pool pool_gateway }
          */family/* { pool pool_family }
     }
}

By using the iRule below, pool selection will happen automatically based on the URI.

when HTTP_REQUEST {
     # Grab the 1st folder after the hostname
     set lbfolder [string tolower [URI::path [HTTP::uri] 1 1]]
     # Strip out the "/"
     set lbfolder pool_[string trim $lbfolder "/"]
     # log local0. "testing01 $lbfolder"
if { [catch {pool $lbfolder} exc] } {
     # If a client sends a uri that does not match a pool, send to default pool or throw message
     #pool default
HTTP::respond 200 content "No matching pool for that URI"
persist cookie insert pr_cookie_insert
}
}

By using this iRule, I will never have to update the iRule again. Once I add the new pool, I’m done.

You may also download a txt version of the iRule here.

Regards,

BD

RSAC 2106: The countdown to let down

image

Expo notes:

Ixia has come out with a L2 IP based device to solve all of your malware and attacks problems! It’s 1U in size, 10G ports, and fail open (that’s good, right? 😱 ) Thru their research, they have a list of known bad IPs, if an attacker comes in they block it. If a user downloads garbage and the malware phones back home, the SYN is sent but the ACK is blocked. The SE was SUPER excited about this. He was floored when I told him it was checkbox on the F5 and that we OEM a market leader in threat intelligence.

The big buzz words throughout were DDoS (almost everyone had one), HSM, Identity, Security Orchestration, blah blah blah. I really had high hopes that I would find something that would help me day to day, sadly I didn’t. As for super cool tech, I found two companies that really blew my mind.

Illumio– Holy smokes, the demo would make you want to buy it right there on the spot. You can see the demo here, it’s really good. Notice the guy sitting down that is using his mobile phone. I spoke with him after the demo. I asked him if he was changing the behavior the traffic via his phone and he confirmed. The tech is based on LINUX iptables and a windows based IP tables. The part that I love about this is, you get access into application flows with ease.

ProtectWise-The GUI demo was off the chain! It is a security software that does transitions on an iPad that I have never seen before. TAPs send traffic to the cloud, they break it down by every network statistic that you can imagine. Total SOC tool if you ask me. The feature I like most, was the reporting. Imagine a timeline where you can see a vulnerability on Monday and on Tuesday, if it has been fixed, it actually shows it. Super cool. This software, like Illimio, is eye candy.

Session Notes:

I was there for the opening keynote. YAWN. You can search for it yourself, it’s a waste of time to watch it. As you would imagine, Apple vs FBI was a hot topic.

I did get to sit thru the Cryptographers Panel and  found it entertaining but really nothing that was jaw dropping. Some of the stories from Whitfield Diffe (as in the cipher DH Diffe-Hellman) were very compelling. Sounds like a super nice guy and you can’t help but like him.

EDIT: Youtube link to the Cryptographers Panel here.

Next was security topics with Adobe (MeMe Rasmussen), Google (Keith Enright) and Microsoft (Brendon Lynch)what a bust this was. Nothing interesting at all here. If you were to close your eyes and imagine what they look like, picture this: Middle aged woman sweating thru her pantsuit, egotistically hipster with his shirt unbuttoned at the top that says “I’m serious but still like to party”, and a door to door vacuum salesperson, respectively. Someone from the audience brought up Apple vs FBI. All three companies said they would be filing an Amicus to side with Apple. They all said that congress should be working on a law for this. Which is a total cop out IMHO. I understand the elected officials should have our (we the people) best interests at heart, but we all know they don’t. They should side on privacy at all costs.

The last meeting I went into was about car hacking and what is next. To sum it up, they don’t believe cars will be driven into walls, they believe hackers will siphon user data over the car LTE connection and grab other info that is transferrable across bluetooth sync.

Unfortunately prior engagements had me leave RSAC at the end of Day 1 and I wish I could have stayed for the entire conference.