cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1171
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cookie for HTTP Load Balancing

I'm getting a lot of bots hitting my site. 

Log entries are very similar (except for the source IP):
1.247.32.58 - - [11/Dec/2012:22:57:03 -0800] "POST  /?ptrxcz_Ah5qDayLi6TrEbzVtPwSqMtGmJgDa7
HTTP/1.1" 403 3985 "-" "Mozilla/4.0  (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Can someone give me an example of how I can filter these out based the "/?ptrxcz..." part? Most of these requests
have this string in them.

100 match http cookie testcookie1 cookie-value ptrxcz?

Do I need a secondary name? I don't quite understand the syntax.

Thanks!
5 REPLIES 5
Highlighted
Participant

class-map type http loadbalance match-all BotMatches

  2 match http cookie secondary ptrxcz.* cookie-value ".*" (look for anything preceeding a ? in a url that starts with ptrxcz. If it has an =, match any value that follows it.)

policy-map type loadbalance first-match Policy_80

  class BotMatches

    drop (Send a reset if we match this class)

  class class-default

    serverfarm Servers

policy-map multi-match Vips

  class Vip_80

    loadbalance vip inservice

    loadbalance policy Policy_80

Highlighted

Thanks, Christopher. That doesn't seem to work though.

Does it matter that this is a POST request?

Does the secondary name argument (ptrxcz.*) accept regex? This bot seems to generate random strings that being with "ptrxcz".

Thanks!

Highlighted

Can I get a capture file and the configuration you applied?

Chris

Highlighted

Here you go:

policy-map type loadbalance first-match abc.ca.prod.http-l7slb

  class abc.ca.http-l7class

    drop

  class class-default

    serverfarm SF_nocms.prod

policy-map multi-match int194-webhosting

  class abc.ca.prod.http

    loadbalance vip inservice

    loadbalance policy abc.ca.prod.http-l7slb

class-map match-all abc.ca.prod.http

  2 match virtual-address 111.111.111.167 tcp eq www

class-map type http loadbalance match-all abc.ca.http-l7class

  10 match http cookie secondary ptrxcz.* cookie-value ".*"

Here's a bigger snippet of what I see in the logs:

187.244.110.209 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_uCVmQegPo4Y4Y3YYoCqB0mj5Ptk8ev HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

87.69.255.148 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_MMMMMMMMMMMMMNNNNNNNNNNNNNNNNN HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

180.246.22.189 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_555555566666666666667777777777 HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

201.137.39.236 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_pppqqqqqqqrrrrrrrssssssstttttu HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

203.127.8.98 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_WXXXXXXXYYYYYYYYYYYZZZZZZZZZZZ HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Thanks again.

Highlighted

Ok... Apparently, I unknowingly lied.

You can put a wildcard match in the cookie value like this:

ACE4710-ESC1/Admin(config-cmap-http-lb)# match http cookie secondary xyz cookie-value .*

Which will match  /index.html?xyz=

However... if you try this:

ACE4710-ESC1/Admin(config-cmap-http-lb)# match http cookie secondary xyz.* cookie-value .*

We will match /index.html?xyz.*=

The .* is a litteral.  I poked around in the bug database and found CSCsu67264 which was an enhancement request to allow wildcard names for secondary cookies (filed on A3(1.0) code.) It is still in a "New" state, with no updates which means there were not enough customers that required the feature to code it.  We are out of luck....

Chris