Forum Discussion
Abed_AL-R
Cirrostratus
CirrostratusF5 ASM | count violation
Hi
We receive a lot of traffic try to scan our website
We enabled ip intelligence but the thing is it is not blocking all ip addresses, it relay on one external db called "vector.brightcloud.com"
There is some ip addresses is not getting blocked and they're not in the F5IpRep.dat
is it possible to create an irule that does the following:
If client ip address did X number of violation in X minutes then reset his connections
for example 20 violations in 30 minutes from same source ip then block, or maybe put the ip address in specific datagroup using icall or something ...
Has anyone tried to accomplish this task?
Hi Abed AL-R,
You can use session tracking.
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html
Result after X violations in the last Y seconds:
Hi Abed AL-R,
You can use session tracking.
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html
Result after X violations in the last Y seconds:
Abed_AL-RThanks great
I will check that
Thanks
- Abed_AL-R
Can this feature "Violation Detection Actions" work with XFF (if xff header is available)?
is it possible to configure in this feature to block xff header client ip and not the source ip ?
because sometimes source ip hides many users behind it
When Trust XFF Header option enabled, it blocks xff header value.
"Beginning in BIG-IP ASM 10.1.0, you can instruct the BIG-IP ASM system to trust the X-Forwarded-For header and use the IP address information in the HTTP header instead of the source IP of the packet if the BIG-IP ASM system is deployed behind an internal or other trusted proxy. You can enable this feature in the Configuration utility by selecting the Trust XFF Header check box in the security policy properties advanced configuration settings."
REF: https://support.f5.com/csp/article/K12264
