For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

heenakhanam0708's avatar
heenakhanam0708
Icon for Altocumulus rankAltocumulus
Jul 09, 2025

How to Block Source IP for 24 Hours After TPS Violation (F5 DoS / iRule / SSL Proxy Setup)

Hi everyone,

We are currently working on a traffic management requirement and would appreciate your input.

Requirement:

We want to implement a mechanism that blocks a source IP for 24 hours once it exceeds 5 TPS (Transactions Per Second). Even if the TPS drops later, the IP should remain blocked for the full 24-hour duration.

Current Setup:

  • SSL Proxy (Client and Server SSL enabled) - Frontend and Backend both on port 443
  • There are no other irules being used
  • We are using a DoS profile on the F5, which blocks traffic based on a 5 TPS threshold.
  • However, this blocking is dynamic — once the TPS drops below the threshold, the IP is allowed again.
  • This behavior does not meet our requirement, as we want to enforce a fixed penalty (24-hour block) regardless of subsequent traffic rate.

What We’re Looking For:

A solution where:

  • Once an IP exceeds 5 TPS, it gets blocked for 24 hours.
  • Even if TPS drops below the threshold, the IP should not be allowed again until the full block duration expires.

iRule Attempt:

We tried using the below iRule to achieve this:

==============

when RULE_INIT {
    set static::TPS_LIMIT 5
    set static::BLOCK_DURATION 86400  ;# 24 hours in seconds
}

when HTTP_REQUEST {
    set src_ip [IP::client_addr]
    
    # If IP is already blocked, drop request
    if {[table lookup -notouch "blocked_$src_ip"] ne ""} {
        log local0. "Blocked IP $src_ip due to TPS violation"
        drop
        return
    }

    # Track TPS per IP
    set count [table incr "tps_$src_ip"]
    table timeout "tps_$src_ip" 1
    
    if {$count > $static::TPS_LIMIT} {
        log local0. "TPS violation from $src_ip. Blocking for 24h."
        table set "blocked_$src_ip" 1 $static::BLOCK_DURATION
        drop
    }
}

===========

The above iRule gives an error like "insecure connection"

Could the insecure connection error be related to trying to run this logic in the HTTP_REQUEST event on SSL traffic. and how to fix?

Is there a better way to achieve this via iRules, DoS profiles, or a combination?

Thanks in advance for your help!

 

application delivery
security

2 Replies

  • VGF5's avatar
    VGF5
    Icon for Cumulonimbus rankCumulonimbus
    Jul 09, 2025

     

    Hi heenakhanam0708​ 

    The HTTP_REQUEST event only triggers on HTTP traffic after SSL decryption and with an HTTP profile assigned. If you want to block at the TCP or IP level (before HTTP parsing), you can use the CLIENT_ACCEPTED event instead, which works on all TCP connections.

     

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Jul 10, 2025

    You may try to combine the irule with the dos profile for example IN_DOSL7_ATTACK event to ad the ip address to a subtable and then in the CLIENT_ACCEPTED event to check the table and if the IP address is present to trigger  reject or drop in the irule.

     

     

    You may need to trigger the irule in the Dos profile as there "Trigger iRule" option in there and also attach it on the Virtual server.