Forum Discussion

RockBD's avatar
Icon for Altostratus rankAltostratus
May 03, 2021

How to block source IP (which is hidden in pvt ip) in F5 Big-IP.

Dear All


I am not good in networking terms so please forgive if i am wrong.


I am a application owner. Last couple of days my application got DDoS attack (as per my network team). But the problem is they can't block it in the F5 Big-IP because when they try to find the source IP they are getting 10.x.x.x, 172.16.x.x, 172.31.x.x, 192.168.x.x which is private IP.


So my query is how to get the source where the original request is generate or how can i block this type of attack.


Thanks in advance.




5 Replies

  • Hi RockBD,


    I think it's a tricky one to give a simple answer to, but here's my two cents on how I would investigate;

    • See if you (or whoever looks after the BigIP) can find out what interface the traffic comes in on. (is it coming from internet facing interface, is it coming from internal interfaces?)
    • Once you know that, discuss if you SHOULD receive those IP ranges from that interface? (for example, you should never receive any of those private ranges from the outside world). If those interfaces should not receive this, the F5 can set up a packet filter (Via Network - Packet Filters) to block any private IP's from those interfaces.
    • If yes, investigate if the traffic isn't acidentally coming from internal somewhere - maybe someone has misconfigured some systems, or some tests running? Possibly you can still put some partial packet filters in place to limit the attack at least for now.
    • If the traffic is coming from somewhere further upstream that is then hiding it behind a private IP, see if that device can inject a HTTP XFF header, so that the F5 can read the XFF header, rather than the internal IP. The F5 can then block traffic based on the original IP again.
    • For a proper solution, in case it is a real DoS attack that doesn't stop and changes between IP's etc, I'd recommend looking into AFM for network-level DoS protection and AdvWAF for application-level DoS protection. Their DoS profiles can take a lot of the guesswork out of dealing with this, and are great at stopping these attacks before they do any damage.


    Hope this helps.

    • RockBD's avatar
      Icon for Altostratus rankAltostratus

      Sorry to inform you that most of your technical term didn't understand properly. but when the sys admin impose geo location policy that this site can only view/access with in the native country not around the world then i think the WAF stops the DDoS attack. So i don't think it is not generating form internal IPs.


      Can you tell me how to check XFF header. or any other solution.

  • Hi RockBD,


    I agree with , check if these IP addresses aren't some real internal systems that are misconfigured. Maybe you application is an API or something like a reporting service and some systems are configured to query it regularly?

    Second, IP addresses can be spoofed. The Wikipedia article on IP address spoofing will explain you what that is. If this is a DDoS attack, attackers usually retool and use different source IP addresses throughout the attack. They do this in order to bypass rate limiting or blocking. Also, if those are real internal IPs, you might block benign traffic / users from accessing your application.

    Check with your network team is running an update version of BIG-IP and you have a ASM/AdvWAF license, they can use techniques such as client fingerprinting.

    Take a look here: K19556739: Overview of BIG-IP ASM client fingerprinting

    This should give you some understanding how the BIG-IP will identify devices (attackers) with more advanced techniques than "block by source IP".

    Also read this devcentral article: What is Shape Security?

    It will give you a better understand of the whole concept behind identifying attackers properly.


    Best of luck



    • RockBD's avatar
      Icon for Altostratus rankAltostratus

      can you please guide me how to block DDoS attack on Big-IP? I don't know which article will be more appopriate for blocking DDoS. Is the following is the possible way to protect DDoS in F5 big-IP

      • Look, there is not a one size fits all solution for DDoS. It much depends on the BIG-IP device you have, the TMOS version you run, the license you own and the kind of attack you see.

        From the link you have shared, I would configure Behavioral & Stress-based Detection only. Do not combine Behavioral & Stress-based Detection with TPS-based detection.

        Additionally I would add a Bot Defense Profile.