Forum Discussion
NimbostratusHow to block an attack on basis of x-ms-forwarded-client-ip
Hello Team,
I am looking for assistance to block attack over my application using F5. Unfortunately, all other network points are not an option as we can detect attack using only x-ms-forwarded-client-ip
Application has SSL offloaded on F5 thus F5 has full visibility to the connection. Also, we have ASM in our environment but it is just enabled and not being used for now.
So, our application is facing brute force attack but the source IP is visible only in x-ms-forwarded-client-ip. I need to build some rule within LTM or ASM that may detect a DOS attack is lets say we have 2000 connections from same x-ms-forwarded-client-ip within a second or so.
Is this possible using ASM or any Irule?
Regards, Anuj
AhmedGalal219_3Under Security you can find DOS Protection create a new dos profile with the specs the meet your needs and implement this profile in VS configuration in security tab - dos protection profile.
- AhmedGalal219_3
https://www.f5.com/services/resources/white-papers/f5-ddos-protection-recommended-practices-volume
2.3.2.3 Protect Applications with DoS Protection Profiles
- youssef1
Cumulonimbus
Hi,
In fact you can create an ddos profile and specifiy how to detect attackers and which mitigation to use: - By Source IP (but in this case the profil don't use an specific header but real ip source) - By Device ID:
You can try preventing ddos usig device ID, just be carefull because this feature will block requests from clients that do not support JavaScript, even if the security policy is in Transparent mode.
So before trying to set an irule a advise you to use device ID (The device ID is a unique identifier that ASM creates by sending JavaScript to get information about the client device.)
For that Go to ASM then ddos --> Application Security ›› TPS-based DoS Detection
How to detect attackers and which mitigation to use: By Device ID
let me know if it's enough for you ifnot i can help you if an irule is need.
regards