On virtual it's possible to set Connection Rate Limit with different modes. Let's say it's Per Virtual Server and Source Address. Then different Source Mask can be set.
Those limits has to use kind if counter to figure out if number of CPS from given IP/Net is above set limit. I wonder if there is any way to access this "blacklist" via iRule/iCall/iControl or in some other way? The idea is to use build in mechanism for detecting threshold violations and then use blacklisted IPs for another script/device/etc.
I wonder if you might be able to build something like this using Sflow
The data store you can use for this on-device is the session table:
I imagine that you can key the entries in the table per IP address.
Other than this, you are going to have to build the logic up.
Application Security Module (ASM) has some pieces that can be configured to accomplish something like this without having to write code (Anomaly detection and DOS Profiles, particularly in version 12.0). Are you familiar with these, or have you taken a look at them?
Yes, I know ASM but this is not exactly the same functinality. It's more like static limiting without detecting attacks/violations. Seems that both DOS Profiles as well as Web Scraping protection is not enough - both are enabled.
Issue is preventing ASM overload - device is too weak for load. I know that this is a bit artificial solution but I have to work with what I have.
Will try to figure out how to arrange it with iRule but first thing is to figure out logic more precise. I assume that there could be some flaws with what I already described :-(