Forum Discussion
Block attacker address for a period of time
I want to block source address of attacker for 5 minutes when an attack occurred(like SQL Injection). I think I have to use iRule. But how?
- youssef1Cumulonimbus
Hello Nor,
Do you use ASM ?
regards
- nor_368995Nimbostratus
Yes dear youssef ASM + LTM
- youssef1Cumulonimbus
Hi Nor,
You can try this:
when HTTP_REQUEST { foreach client_addr [table keys -subtable "temp_blocage"] { set curtime [clock seconds] set formated_time_second [clock scan $curtime] set violation [table lookup -notouch -subtable temp_blocage $client_addr] if { [IP::addr [IP::client_addr] equals $client_addr] } { HTTP::respond 200 content "you are temporarily blocked" log local0. "user with IP : $client_addr was blocked because it is done previously blocked for the following reason: $violation" return } } } when ASM_REQUEST_BLOCKING { set violation [ASM::violation_data] set client_addr [IP::client_addr] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} table delete -subtable temp_blocage $client_addr table set -subtable temp_blocage $client_addr $violation 300 }
For information, i don't test this irule but it will work. maybe you have to finetune it.
So this irule block your access to application during 300s if you trigged a violation before. You can update this irule by adding additional condition for a specific violoation for example.
keep me in touch if you need more details or help to update this irule.
regards,
- sa3d2520Nimbostratus
Didn't work with me
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com