For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

redheadontherun's avatar
redheadontherun
Icon for Nimbostratus rankNimbostratus
Jul 27, 2016

Block Source IP using a blocklist hosted on a webserver

Currently we utilize a web server to host a blocklist that some of our other security devices use to block IP addresses. It allows us to maintain 1 list for all devices. Can the F5 ASM or LTM utilize...
ASM Advanced WAF
BIG-IP
ifiles
iRules
LTM
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jul 27, 2016

Hi,

 

this list can be uploaded as an ifile. You can also do a lookup using sideband connections in irules

 

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    You can create an ifile using the following command : 

    tmsh create sys file ifile blacklist source-path http://hostname.com/uri

    and then update it using the following command : 

    tmsh modify sys file ifile blacklist source-path http://hostname.com/uri

    The filesize for a single iFile was raised to 32Mb in 12.1.0. Prior versions limited the size to 4Mb.

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 27, 2016

    Here a small Proof of Concept.

    when HTTP_REQUEST {
    set file [ifile get domains]
    log local0. "$file"
    set domain "amazon.co.uk.security-check.ga"
    if { [string match "*$domain*" $file] } {
        log local0. "succeeded"
        HTTP::respond 200 content "ok"
    } else {
        log local0. "failed"
    }
}

    Note : should test performance impact, memory consumption and stuff like that before switching something in production