F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

JamesS_40157's avatar
JamesS_40157
Icon for Nimbostratus rankNimbostratus
Dec 02, 2010

Blocking thousands of IP addreses (botnet)

Hi all,     We have the following iRule on our F5 Big-IP 3400, which allows us to block IP addresses that are listed in an IP list (such as spiders, scrapers etc):       ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Dec 02, 2010
Hi James,

 

 

I don't think ~100k entries in a datagroup will kill a 3400, but it would be good to test it with your highest expected load.

 

 

If it's a bot network doing a DDOS, I imagine a lot of IP's wouldn't be known in advance though. What are the bots scanning? Is it a web app? Are there any patterns to the requests? You might be able to use an iRule to check the HTTP requests rather than a static (and potentially outdated) list of bad client IPs.

 

 

ASM would be an ideal option for this as it gives a lot of simpler options for detecting and blocking bots.

 

 

Aaron