For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JamesS_40157's avatar
JamesS_40157
Icon for Nimbostratus rankNimbostratus
Dec 02, 2010

Blocking thousands of IP addreses (botnet)

Hi all,     We have the following iRule on our F5 Big-IP 3400, which allows us to block IP addresses that are listed in an IP list (such as spiders, scrapers etc):       ...
application delivery
dev
devops
iRules
JamesS_40157's avatar
JamesS_40157
Icon for Nimbostratus rankNimbostratus
Dec 03, 2010
Many thanks for the quick reply hoolio!

 

 

We are not being ddos'ed, but rather being scraped for data with requests that are coming from hundreds of different IP addresses, and many different spoofed user agent headers. There are patterns to the requests but at the same time these can look like normal user generated requests too - therefore we'd have to be very very careful in how we code any irule that looks at patterns.

 

 

It's quite interesting looking into this - but unfortunately quite time critical as well, so we wouldn't be able to look into the asm option (at least for this particular attack that is happening at the moment). I will look at writing something to check IPs against this botnet database - we already have something similar in place for tor nodes that we download every day.