Cookie for HTTP Load Balancing

gaspolgas · ‎12-11-2012

I'm getting a lot of bots hitting my site. 

Log entries are very similar (except for the source IP):
1.247.32.58 - - [11/Dec/2012:22:57:03 -0800] "POST  /?ptrxcz_Ah5qDayLi6TrEbzVtPwSqMtGmJgDa7 
HTTP/1.1" 403 3985 "-" "Mozilla/4.0  (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Can someone give me an example of how I can filter these out based the "/?ptrxcz..." part? Most of these requests
have this string in them.

100 match http cookie testcookie1 cookie-value ptrxcz? 

Do I need a secondary name? I don't quite understand the syntax.

Thanks!

chrhiggi · ‎12-12-2012

class-map type http loadbalance match-all BotMatches

2 match http cookie secondary ptrxcz.* cookie-value ".*" (look for anything preceeding a ? in a url that starts with ptrxcz. If it has an =, match any value that follows it.)

policy-map type loadbalance first-match Policy_80

class BotMatches

drop (Send a reset if we match this class)

class class-default

serverfarm Servers

policy-map multi-match Vips

class Vip_80

loadbalance vip inservice

loadbalance policy Policy_80

gaspolgas · ‎12-12-2012

Thanks, Christopher. That doesn't seem to work though.

Does it matter that this is a POST request?

Does the secondary name argument (ptrxcz.*) accept regex? This bot seems to generate random strings that being with "ptrxcz".

Thanks!

chrhiggi · ‎12-12-2012

Can I get a capture file and the configuration you applied?

Chris

gaspolgas · ‎12-12-2012

Here you go:

policy-map type loadbalance first-match abc.ca.prod.http-l7slb

class abc.ca.http-l7class

drop

class class-default

serverfarm SF_nocms.prod

policy-map multi-match int194-webhosting

class abc.ca.prod.http

loadbalance vip inservice

loadbalance policy abc.ca.prod.http-l7slb

class-map match-all abc.ca.prod.http

2 match virtual-address 111.111.111.167 tcp eq www

class-map type http loadbalance match-all abc.ca.http-l7class

10 match http cookie secondary ptrxcz.* cookie-value ".*"

Here's a bigger snippet of what I see in the logs:

187.244.110.209 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_uCVmQegPo4Y4Y3YYoCqB0mj5Ptk8ev HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

87.69.255.148 - - [12/Dec/2012:15:31:35 -0800] "POST /?ptrxcz_MMMMMMMMMMMMMNNNNNNNNNNNNNNNNN HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

180.246.22.189 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_555555566666666666667777777777 HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

201.137.39.236 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_pppqqqqqqqrrrrrrrssssssstttttu HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

203.127.8.98 - - [12/Dec/2012:15:31:36 -0800] "POST /?ptrxcz_WXXXXXXXYYYYYYYYYYYZZZZZZZZZZZ HTTP/1.1" 403 3985 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Thanks again.

chrhiggi · ‎12-13-2012

Ok... Apparently, I unknowingly lied.

You can put a wildcard match in the cookie value like this:

ACE4710-ESC1/Admin(config-cmap-http-lb)# match http cookie secondary xyz cookie-value .*

Which will match /index.html?xyz=

However... if you try this:

ACE4710-ESC1/Admin(config-cmap-http-lb)# match http cookie secondary xyz.* cookie-value .*

We will match /index.html?xyz.*=

The .* is a litteral. I poked around in the bug database and found CSCsu67264 which was an enhancement request to allow wildcard names for secondary cookies (filed on A3(1.0) code.) It is still in a "New" state, with no updates which means there were not enough customers that required the feature to code it. We are out of luck....

Chris