Forum Discussion

Dianna_129659's avatar
Dianna_129659
Icon for Nimbostratus rankNimbostratus
Sep 23, 2013

Can I block an IP address?

Can I blacklist a specific IP address? Our web scraping is set pretty loose because many of our customers do transactions that appear to be scraping. We are being hit hard by some crawlers, and I would like to simply block the IP address. Thank you.

 

BIG-IP Access Policy Manager (APM)
ip addresses
management
security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 23, 2013

    The easiest is probably a packet filter rule, but you could do the same with an iRule:

    when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } {
        reject
    }
}

    The beauty of a packet filter rule is that it blocks the traffic before the completion of the TCP 3-way handshake. The iRule would reject the traffic after the handshake.

  • Dianna_129659's avatar
    Dianna_129659
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2013

    Hi Kevin. Thank you! I have not worked with packet filter rules, nor with iRules. Can you guide me to where I can create either of these, please? I would prefer the packet filter, but I will do either of them. I appreciate your help very much!

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 23, 2013

    As you've never worked with packet filters, I'd strongly recommend reading the following first:

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-3-0/24.htmlconceptid

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-concepts-11-3-0/tmos_packet_filters.html1189342

    As for the iRule, simply copy the above to a new iRule in the iRules section of the management GUI, and change the xx.xx.xx.xx/xx do a specific IP address (ex. 123.45.678.90) or a specific subnet (ex. 123.45.67.0/24), then add that iRule to the virtual server configuration. You could even throw in some logging to see what IP address is getting blocked (and when).

    when CLIENT_ACCEPTED {
    if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } {
        log local0. "Blocking [IP::client_addr]"
        reject
    }
}
  • Dianna_129659's avatar
    Dianna_129659
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2013

    Yes, I think iRules is best for me for right now. However, I do not have full access to the F5 server, and I can't find the place where I create an iRule. Can you tell where this is located? Thank you very much.

     

  • Dianna_129659's avatar
    Dianna_129659
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2013

    Hi Josh. I think that I do not have permissions to this section. When I look under Local Traffic, I have only Profiles >> Services >> Protocal. Are there more sections under Local Traffic that I need to get access to? Thank you!

     

  • Dianna_129659's avatar
    Dianna_129659
    Icon for Nimbostratus rankNimbostratus
    Sep 23, 2013

    No, I see none of that. I see only Profiles, and under Profiles is Services and Protocal. I have very limited access it seems.

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Sep 23, 2013

    Especially if you are dealing with a large number of source IPs to block it might make sense to use a generic iRule associated with a so called data group.

    It´s ease to add or remove addresses from the data group without touching the iRule anymore. 
    if { [class match [IP::remote_addr] equals ip_blacklist] } { 
    reject
    event disable all
    return
}

    The data group will be of type IP address and may contain hosts and networks.

    This should be easier to handle