Manual Chapter :
Example: Mitigating shellshock
Applies To:
Show Versions
BIG-IP LTM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP PEM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Example: Mitigating shellshock
You can create a local traffic policy to mitigate shellshock. In
shellshock
, an
Internet service misuses bash
shell functionality to process requests that
execute arbitrary commands, potentially giving an attacker unauthorized access. This example
policy examines requests for an uncommon pattern of "() {"
in the URI, to
minimize the possibility of false-positive matches.Examples
Creating a policy to mitigate a shellshock attack: video example
A
shellshock attack
refers to a class of exploits that misuse the
bash
shell through a specifically crafted URL. You can
associate a BIG-IP local traffic policy with a virtual server
to mitigate a shellshock attack, where the policy examines requests for a pattern of
"() {"
in the URI. Watch the following video for an
example of creating a local traffic policy and associating it with a virtual
server.You can also visit our DevCentral YouTube channel to see this
video. Use any of these ways:
- Click this URL:.
- Copy and paste the above URL into your browser window.
- Use your browser to search for this video using the titleF5: Creating a local traffic policy to mitigate a shellshock attack.
Mitigating shellshock: tmsh example
This topic provides a
tmsh
command to list the configured settings
for a Mitigating Shellshock policy. During this type of attack, a class of exploits
misuse the bash
shell through a specifically crafted URL. This
topic also provides a tmsh
command to list the configured virtual
server settings.(tmos)# list ltm policy MitigatingShellshock ltm policy MitigatingShellshock{ controls { forwarding } description "This policy mitigates shellshock." last-modified 2016-03-02:11:46:00 requires { http } rules { StopShellshock { actions { 0 { log write facility local0 message "tcl:Shellshock detected from [IP::client_addr], blocked" priority info } 1 { forward reset } } conditions { 0 { http-uri query string contains values { "() {" } } } } } status published strategy first-match } (tmos)# list ltm virtual HTTP-VS4 ltm.virtual.HTTP-VS4{ destination 10.10.0.51:http ip-protocol tcp mask 255.255.255.255 policies { MitigatingShellshock { } } profiles { http { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 5 }
Mitigating shellshock: iRules example
This topic provides an example of iRules code that is equivalent to a
policy to mitigate shellshock, where the policy examines requests for a pattern of
"() {"
in the URI.when HTTP_REQUEST { set pattern "*() \{*"; if { [string match $pattern [HTTP::uri]] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI '[HTTP::uri]'"; reject; } else { foreach header_name [HTTP::header names] { foreach header_value [HTTP::header values $header_name] { if { [string match $pattern $header_value] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in HTTP Header $header_ reject; break; } } } } } when HTTP_REQUEST { if { [string match "*() \{*" [HTTP::request]] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]'; URI = '[HTTP::uri]'"; reject; } }