F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

SAP's avatar
SAP
Icon for Nimbostratus rankNimbostratus
Jul 12, 2018

Block Brute Force Attack

Hi All,   Need some suggestion.   Can anyway we can allow only x amount of connections from the same IP address at a time for a VIP.   VIP config: ltm virtual XXXXX-22 { destination X.X.X....
application delivery
LTM
TMSH
Andy_McGrath's avatar
Andy_McGrath
Icon for Cumulonimbus rankCumulonimbus
Jul 12, 2018

You would need to use an iRule and session/tables to store client IP addresses, then every time a new connection takes place look up the IPs in the table, if it exists then close the new connection down. When a connection closes you would need to make sure you removed it from the table.

 

This would only slow a brute force attack down if someone is always using the same source address not if someone has a way of connecting using multiple IP addresses. And this also could block valid traffic as multiple users connecting from behind the same NATed private network and so would share a common IP address seen by the F5 as the source address.

 

Assuming this is for a SSH connection it would be better to get the backend system to lock accounts after a set number of failed login attempts and even look if a user can be limited to a single authenticated session.