Blocking thousands of IP addreses (botnet)
We have the following iRule on our F5 Big-IP 3400, which allows us to block IP addresses that are listed in an IP list (such as spiders, scrapers etc):
when HTTP_REQUEST {
if { [matchclass [IP::remote_addr] equals $::blockIps] } {
HTTP::respond 403 content {
Forbidden Page
}
reject
log local0. "blocked [IP::remote_addr] requesting [HTTP::uri] as it appears in the blockIP list"
}
}
Currently we have around 1,200 in this list, and the load balancers cope well. However, we have recently noticed that a botnet has been scanning our site. One option is to block all suspected botnet IP addresses, by using a database such as one found on this website - http://www.stopforumspam.com/downloads/ - unfortunately, this contains a list of about 73,000 IP addresses!
My question is (as a fairly new F5 user) - is the way we block IP addresses using a lot of overhead, and will adding in an extra 72,000 IPs into an IP address list cause performance issues on the load balancer? Can we make the rule perform better just by using the Big-IP 3400 (we are not prepared yet to go down the ASM route).
Each load balancer can receive up to 7 million requests a day if that helps?
Many many thanks in advance!
James.