Forum Discussion

nor_368995's avatar
Icon for Nimbostratus rankNimbostratus
Aug 06, 2018

Block attacker address for a period of time

I want to block source address of attacker for 5 minutes when an attack occurred(like SQL Injection). I think I have to use iRule. But how?


4 Replies

  • Hi Nor,

    You can try this:

    when HTTP_REQUEST {
    foreach client_addr [table keys -subtable "temp_blocage"] {
        set curtime [clock seconds]
        set formated_time_second [clock scan $curtime]
        set violation [table lookup -notouch -subtable  temp_blocage $client_addr]
        if { [IP::addr [IP::client_addr] equals $client_addr] } {
        HTTP::respond 200 content "you are temporarily blocked"
        log local0. "user with IP : $client_addr was blocked because it is done previously blocked for the following reason:  $violation"
    set violation [ASM::violation_data]
    set client_addr [IP::client_addr]
    for {set i 0} { $i < 7 } {incr i} {
          switch $i {
          0         { log local0. "violation=[lindex $x $i]" }
          1         { log local0. "support_id=[lindex $x $i]" }
          2         { log local0. "web_application=[lindex $x $i]" }
          3         { log local0. "severity=[lindex $x $i]" }
          4         { log local0. "source_ip=[lindex $x $i]" }
          5         { log local0. "attack_type=[lindex $x $i]" }
          6         { log local0. "request_status=[lindex $x $i]" }
    table delete -subtable temp_blocage $client_addr
    table set -subtable temp_blocage $client_addr  $violation 300

    For information, i don't test this irule but it will work. maybe you have to finetune it.

    So this irule block your access to application during 300s if you trigged a violation before. You can update this irule by adding additional condition for a specific violoation for example.

    keep me in touch if you need more details or help to update this irule.