Forum Discussion
NimbostratusBlocking a single IP in ASM - send to the blocking page
I can't for the life of me work out what I would have thought would be a simple thing to do in ASM.
What we would like to do is blacklist a single IP address (or potentially multiple) and send them to the blocking page when they create a violation (or even just block them straight away even if its a good request, if that is easier).
I am aware I could write an irule to drop the request or send back a specific response, but we'd like to send them to the configured blocking page we have already made (along with a support ID being shown if they generate a violation). Is this possible? I can find places to whitelist IPs, but nowhere to blacklist them!
Thanks in advance
James
JamesS_40157Would something like this work in the meantime? I realise it will basically allow anything through that isn't in the block list:
when HTTP_REQUEST {
if { [matchclass [IP::remote_addr] equals /Common/asmblockips] } {
ASM::enable
} else {ASM::disable
}
}- JamesS_40157A slightly revised version, would this be ok? (more specific to webscraping now)
when ASM_REQUEST_VIOLATION {
set x [ASM::violation_data]if {([lindex $x 0] contains "VIOLATION_WEB_SCRAPING_DETECTED")} {if { ! [matchclass [IP::remote_addr] equals /Common/asmblockips] } {ASM::disable}}}
However i have just read the asm::enable and asm::disable functions only work within HTTP_CLASS_SELECTED, if this is the case, i guess i cant be specific down to the attack type?
- nitass
Employee
just curious why you need support id while blocking them right away.
I can find places to whitelist IPswhere is the whitelist? is it at anomaly detection > dos attack prevention and web scraping? isn't it only meant to dos attack and web scraping?
sol10479: Bypassing the BIG-IP ASM with an iRule in version 10.x
http://support.f5.com/kb/en-us/solutions/public/10000/400/sol10479.html - JamesS_40157Hi Nitass, good point regarding the support ID. We just want to display the same blocking page, which includes the <%TS.request.ID()%> code. If this particular IP wants to appeal against the block then it would look a bit strange to them if they dont have the support ID listed.
The whitelist is indeed where you say it is, but there is also an "ignored IP addresses" section which i would assume just disables ASM for that particular IP. - nitassThe whitelist is indeed where you say it is, but there is also an "ignored IP addresses" section which i would assume just disables ASM for that particular IP.i never tested it but thinking it is for learning suggestion only.
Ignored IP addresses
You can now configure IP addresses that the system should ignore. The system ignores traffic sent from these IP addresses, and does not generate Learning suggestions from traffic sent from these IP addresses. Configuring ignored IP addresses is especially useful when performing penetration testing on the web application. To add an ignored IP address, from the Configuration utility, navigate to Application Security » Manual Policy Building » Ignored IPs.
Release Note: BIG-IP ASM version 10.2.0
http://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnotes_asm_10_2_0.html - JamesS_40157Ah i see, that makes sense. Well, im only concerned with web scraping at the moment so thats OK as far as a whitelist goes.
I'll continue to test my irule and post back here if it works, thanks. 
reseob_90588Is there any update on this? The initial iRule solution wasn't really a functional solution for us as it simply disables ASM for IP's that aren't in the list.
Basically, the situation I have is that I'm learning on web scraping, and have seen a few addresses I want to block, but I don't know if I've got appropriate thresholds, so I don't want to block scraping, since I don't want to block valid traffic. So in the interim, I'd like to be able to simply block all traffic from a specific IP. All the traffic not from these specific IP's should STILL be passed through ASM.
Any other thoughts? I was thinking this may be done on LTM also with the appropriate iRule.
Thanks!
