Manual Chapter : Example: Mitigating shellshock

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 15.0.1, 15.0.0

BIG-IP PEM

  • 15.0.1, 15.0.0

BIG-IP ASM

  • 15.0.1, 15.0.0
Manual Chapter

Example: Mitigating shellshock

You can create a local traffic policy to mitigate shellshock. In
shellshock
, an Internet service misuses
bash
shell functionality to process requests that execute arbitrary commands, potentially giving an attacker unauthorized access. This example policy examines requests for an uncommon pattern of
"() {"
in the URI, to minimize the possibility of false-positive matches.

Examples

Creating a policy to mitigate a shellshock attack: video example

A
shellshock attack
refers to a class of exploits that misuse the
bash
shell through a specifically crafted URL. You can associate a BIG-IP local traffic policy with a virtual server to mitigate a shellshock attack, where the policy examines requests for a pattern of
"() {"
in the URI. Watch the following video for an example of creating a local traffic policy and associating it with a virtual server.
You can also visit our DevCentral YouTube channel to see this video. Use any of these ways:
  • Copy and paste the above URL into your browser window.
  • Use your browser to search for this video using the title
    F5: Creating a local traffic policy to mitigate a shellshock attack
    .

Mitigating shellshock: tmsh example

This topic provides a
tmsh
command to list the configured settings for a Mitigating Shellshock policy. During this type of attack, a class of exploits misuse the
bash
shell through a specifically crafted URL. This topic also provides a
tmsh
command to list the configured virtual server settings.
(tmos)# list ltm policy MitigatingShellshock ltm policy MitigatingShellshock{ controls { forwarding } description "This policy mitigates shellshock." last-modified 2016-03-02:11:46:00 requires { http } rules { StopShellshock { actions { 0 { log write facility local0 message "tcl:Shellshock detected from [IP::client_addr], blocked" priority info } 1 { forward reset } } conditions { 0 { http-uri query string contains values { "() {" } } } } } status published strategy first-match } (tmos)# list ltm virtual HTTP-VS4 ltm.virtual.HTTP-VS4{ destination 10.10.0.51:http ip-protocol tcp mask 255.255.255.255 policies { MitigatingShellshock { } } profiles { http { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 5 }

Mitigating shellshock: iRules example

This topic provides an example of iRules code that is equivalent to a policy to mitigate shellshock, where the policy examines requests for a pattern of
"() {"
in the URI.
when HTTP_REQUEST {   set pattern "*() \{*";     if { [string match $pattern [HTTP::uri]] } {     log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI '[HTTP::uri]'";     reject;   } else {     foreach header_name [HTTP::header names] {       foreach header_value [HTTP::header values $header_name] {         if { [string match $pattern $header_value] } {           log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in HTTP Header $header_           reject;           break;         }       }     }   } } when HTTP_REQUEST {   if { [string match "*() \{*" [HTTP::request]] } {     log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]'; URI = '[HTTP::uri]'";     reject;   } }