Lately, i noticed some Layer7 attacks to FiveM servers. After checking the wireshark logs, most of the requests have malformed user-agent:
User-Agent: \r\n
User-Agent: k\r\n
And some others.
I set the following rule to be matched and reject everything else:
Code: Select all
/ip firewall layer7-protocol add name=bot2 regexp="[Uu]ser-[Aa]gent: [Mm]ozilla"If anyone would help me to build up a L7 filter to block such attacks, it will be great. I can send the pcap file by email for easyer analysis (maybe we can block otherwise than user-agent)