Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Dec 15, 2020
Solved

F5 ASM | count violation

Hi

 

We receive a lot of traffic try to scan our website

We enabled ip intelligence but the thing is it is not blocking all ip addresses, it relay on one external db called "vector.brightcloud.com"

There is some ip addresses is not getting blocked and they're not in the F5IpRep.dat

 

is it possible to create an irule that does the following:

If client ip address did X number of violation in X minutes then reset his connections

for example 20 violations in 30 minutes from same source ip then block, or maybe put the ip address in specific datagroup using icall or something ...

 

Has anyone tried to accomplish this task?

  • Hi Abed AL-R,

     

    You can use session tracking.

    https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html

    Result after X violations in the last Y seconds:

4 Replies

  • Hi Abed AL-R,

     

    You can use session tracking.

    https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html

    Result after X violations in the last Y seconds:

  • Can this feature "Violation Detection Actions" work with XFF (if xff header is available)?

    is it possible to configure in this feature to block xff header client ip and not the source ip ?

    because sometimes source ip hides many users behind it

     

    • When Trust XFF Header option enabled, it blocks xff header value.

       

      "Beginning in BIG-IP ASM 10.1.0, you can instruct the BIG-IP ASM system to trust the X-Forwarded-For header and use the IP address information in the HTTP header instead of the source IP of the packet if the BIG-IP ASM system is deployed behind an internal or other trusted proxy. You can enable this feature in the Configuration utility by selecting the Trust XFF Header check box in the security policy properties advanced configuration settings."

       

      REF: https://support.f5.com/csp/article/K12264