Hello, I propose the following iRule as an alternative in that it specifically

1.  
2. Hello, I propose the following iRule as an alternative in that it specifically matches the MS15-034 issue, matches evasion techniques, has a nominal CPU load, and produces no false positives.
3.  
4. # 2015-04-15 Nathan Fowler
5. # Similar to CVE-2011-3192, handle MS15-034
6. # RFC 2616 Section 14.35
7. #
8. # Changelog: Not an overflow issue, 2^64 is unique
9. # Minor PCRE tweak to avoid unlikely but possible false positives, oops.
10. # RFC 2616 BNF adjustments, thanks Didier Stevens
11. # Corrected error with bad matching RegEx, needed full match.
12. # I am an idiot. \x20 spacing in the RegEx was being treated literally, as it should. PEBKAC issue. Tested and confirmed working.
13.  
14. when HTTP_REQUEST {
15. if { ( [HTTP::header exists "Range"] && [HTTP::header "Range"] contains "18446744073709551615") } {
16. if { [HTTP::header "Range"] matches_regex {[^\n]+-[^0-9]*0*18446744073709551615.*} } {
17. if { ! ([HTTP::header "Range"] matches_regex {[^\n]+18446744073709551615[0-9].*}) } {
18. log local0. "LOG DoS/RCE MS15-034 0xFFFFFFFFFFFFFFFF attack structure to [HTTP::host] from [IP::client_addr]"
19. TCP::close
20. event disable
21. }
22. }
23. }
24. }
25.  
26. As you can see by the content and PCRE matches I really don't care too much about the initial byte values since the literal appearance of "18446744073709551615" in an RFC 2616 14.35 Range request is for all practical reasons highly abnormal and five-nines likely to be an attempt against MS15-034. The "anchor" is really '18446744073709551615' since 0xFFFFFFFFFFFFFFFF is unique which is why it is present on the outer-most conditional.
27.  
28. 18446744073709551614 = 0xFFFFFFFFFFFFFFFE = No Crash
29. 18446744073709551615 = 0xFFFFFFFFFFFFFFFF = Crash
30. 18446744073709551616 = No Crash
31.  
32. With respect to MS15-034 my stuff should match on all attempts and isn't dependent on the initial byte range value and is more fixated on 0xFFFFFFFFFFFFFFFF (MS15-034) itself. I went with TCP::close and event disable to send an egress TCP RST to tear down L3/L4 state for the on-premise gear to avoid state table saturation if this ended up a "Lets crash all the boxes from a diverse network". A less "aggressive" stance is the one you've chosen which is simply remove the Range HTTP Request Header but at this point the iRule matches attacker traffic and not passing the request to the back-end makes the most sense.
33.  
34. Evasion testing was done with:
35.  
36. #!/bin/bash
37. echo "Checking $1 for TCP::close"
38. curl -I -k "$1" --header "Range: bytes=2-18446744073709551615"
39. curl -I -k "$1" --header "Range: bytes=2-018446744073709551615"
40. curl -I -k "$1" --header "Range: bytes=2-0018446744073709551615"
41. curl -I -k "$1" --header "Range: bytes=2 - 18446744073709551615"
42. curl -I -k "$1" --header "Range: bytes = 2-18446744073709551615"
43. curl -I -k "$1" --header "Range: bytes=2-184467440737095516150"
44. echo "This should produce HTTP 400 or a valid response"
45. curl -I -k "$1" --header "Range: bytes=0-184467440737095516150"
46. echo "Done"
47.  
48. Cheers,
49. Nathan Fowler
50. bmF0aGFuQHBhY2tldG1haWwubmV0Cg==