NimbostratusHi,
I have a question about request blocking by source IP in TPS-based detection and stress-based detection.
How is the IP blocked by the ASM? Is that by responding with a response code 4xx to all his requests? By resetting the connection with him by sending a RST packet? Or something else?
Thanks.
EmployeeHi eranati,
For more details about request blocking, see K04550557: Overview of BIG-IP ASM blocking response.
NacreousHello,
Far as I know, it will send RST packet.
When you set action as "Rate Limit" it will reset based on threshold and when "Block All" it will reset all packets.
Regards.
NacreousHi,
If I understand you correctly, usually you have a header XFF that identify you behind a proxy.
So when you set a HTTP profile that accept that XFF header, the DOS profile detection will work on this IP instead of the IP connected to the VS. This way, the RST packet would sent when the malicious XFF IP make requests, preventing to reset all connections from other IP addresses. This setup needs to AVR be provisioned.
I have this trick on vs setup bellow a CDN proxy.
For security, I think is good to customize an alternative name to XFF when just BIG-IP and proxy/CDN know that name to prevent an attacker to impersonate IP addresses on that header.
Regards.
https://support.f5.com/csp/article/K40243113
Accept XFF
Enables or disables trusting the client IP, and statistics from the client IP address, based on the request's X-Forwarded-For (XFF) headers, if they exist.
Note: This option has an effect only when you use either AVR or ASM L7 DoS profile (ASM required). For AVR, the Accept XFF option allows the BIG-IP system to trust and take into consideration IP addresses from the X-Forwarded-For header for statistics purposes. For an L7 DoS profile, the Accept XFF option allows the BIG-IP system to take action based on IP addresses from the X-Forwarded-For header that match, for example, an Access List.