Forum Discussion

Nimbostratus

Aug 06, 2018

Block attacker address for a period of time

I want to block source address of attacker for 5 minutes when an attack occurred(like SQL Injection). I think I have to use iRule. But how?

Cumulonimbus

Aug 06, 2018

Hi Nor,

You can try this:

when HTTP_REQUEST {

foreach client_addr [table keys -subtable "temp_blocage"] {
    set curtime [clock seconds]
    set formated_time_second [clock scan $curtime]
    set violation [table lookup -notouch -subtable  temp_blocage $client_addr]

    if { [IP::addr [IP::client_addr] equals $client_addr] } {
    HTTP::respond 200 content "you are temporarily blocked"
    log local0. "user with IP : $client_addr was blocked because it is done previously blocked for the following reason:  $violation"
    return
}
}

}

when ASM_REQUEST_BLOCKING { 

set violation [ASM::violation_data]
set client_addr [IP::client_addr]

for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }

}}
table delete -subtable temp_blocage $client_addr
table set -subtable temp_blocage $client_addr  $violation 300

}

For information, i don't test this irule but it will work. maybe you have to finetune it.

So this irule block your access to application during 300s if you trigged a violation before. You can update this irule by adding additional condition for a specific violoation for example.

keep me in touch if you need more details or help to update this irule.

regards,

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)