WAF rule 397999 blocking legit IE 6 users

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

WAF rule 397999 blocking legit IE 6 users

Unread post by prupert »

We noticed that WAF rule 397999 is blocking legit IE 6 user agents. Although this browser is very out-dated, some people are still using it, and they should not be prevented from viewing a web page. Apart from that we have also had reports of IE 8 users being blocked because of this rule, perhaps because of the regexp match on the user agent string. A false positive has been reported.

As a temporary measure I recommend everyone to disable rule 397999 if you don't want to block old IE clients.

Code: Select all

asl --disable-rule 397999
Lemonbit Internet Dedicated Server Management
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: WAF rule 397999 blocking legit IE 6 users

Unread post by biggles »

I would love to have a re-direct to http://www.ie6countdown.com/educate-others.aspx
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: WAF rule 397999 blocking legit IE 6 users

Unread post by mikeshinn »

We could make that redirect the default for that rule, and make the rule to not shun by default.

I'd caution against that though, we added this rule because the percentage of malicious bots pretending to be MSIE6 versus actual MSIE6 users is so lopsided it was stopping nothing but attacks on all our honeypots and test customers. So, maybe a good compromise is a default redirect.

But if you guys have a lot of MSIE6 customers, that would be good to know. We do recognize we're in a slightly different business and maybe our honeypots and test customers dont see MSIE6 as much as you may. So your feedback on these kinds of rules would be invaluable.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: WAF rule 397999 blocking legit IE 6 users

Unread post by prupert »

Of course it is absurd that some people are still using MSIE 6, in our experience they are a rarity as well. They are now shut out of accessing web sites that are hosted on machines protected by the ASL WAF by default because of this new rule. Is that side-effect really necessary to combat bad bots?

That said, we suspect that other versions (non-IE6) are also being blocked by WAF rule 397999. See the false positive report filed under ASL case 29571.
Lemonbit Internet Dedicated Server Management
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: WAF rule 397999 blocking legit IE 6 users

Unread post by mikeshinn »

The rule definitely cant block MSIE7-9, they never ever send a UA that contains:

Mozilla/4\.0 \(compatible\; MSIE 6\.0)

And thats what this rule looks for.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: WAF rule 397999 blocking legit IE 6 users

Unread post by mikeshinn »

And the rule is now set to not shun by default.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: WAF rule 397999 blocking legit IE 6 users

Unread post by faris »

Yeah, I was horrified to find a customer shunned because they were using IE6. Not because they were shunned, but because I didn't imagine anyone would be using IE6. It implies the system it is being run on potentially (and most likely) has not had security updates applied for years.

This does bring up an interesting about being notified of major changes, which I'll post about separately.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply