Manual Chapter : Example: Preventing a Nimda worm attack

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP PEM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Example: Preventing a Nimda worm attack

You can create a local traffic policy that prevents the Nimda worm attack. If the URL contains certain strings that are known to be associated with the Nimda worm, then the local traffic policy can use a forwarding action that resets the connection.

Examples

Creating a policy to prevent a Nimda worm attack: video example

You can associate a BIG-IP local traffic policy to prevent a Nimda worm attack. The policy forwards a URL containing strings associated with the Nimda worm, and resets the connection. Watch the following video for an example of creating a local traffic policy and associating it with a virtual server.
You can also visit our DevCentral YouTube channel to see this video. Use any of these ways:
  • Copy and paste the above URL into your browser window.
  • Use your browser to search for this video using the title
    F5: Creating a local traffic policy to prevent a Nimda worm attack
    .

Preventing a Nimda worm attack: tmsh example

This topic provides a
tmsh
command to list the configured settings for a Nimda policy. The policy directs that if certain strings are known to be associated with the Nimda worm, the local traffic policy uses a forwarding action that resets the connection. This topic also provides a
tmsh
command to list the configured virtual server settings.
(tmos)# list ltm policy Stop_Nimda ltm policy StopNimda{ controls { forwarding } description "This policy blocks the Nimda worm." last-modified 2016-03-02:11:46:00 requires { http } rules { ClobberNimda { actions { 0 { forward reset } } conditions { 0 { http-uri query-string values { root.exe admin.dll cmd.exe } } } } } status published strategy first-match } (tmos.ltm.virtual)# list HTTP-VS1 ltm.virtual.HTTP-VS1{ destination 10.10.0.21:http ip-protocol tcp mask 255.255.255.255 policies { StopNimda { } } profiles { http { } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 2 }

Preventing a Nimda worm attack: iRules example

This topic provides an example of iRules code that is equivalent to a policy that protects against a Nimda worm attack. The iRule directs that if certain strings are known to be associated with the Nimda worm, the local traffic policy uses a forwarding action that resets the connection.
when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { ($uri contains "cmd.exe") or ($uri contains "root.exe") or ($uri contains "admin.dll") } { discard } }