iRule to add IP to blacklist/feed

Question

Is there an iRule command to add an IP Address to one of the blacklist feeds?  Ideally I would like to be able to add an ip address with an irule to the new shun feature/list on AFM so that it would be automatically removed later.&nbsp;
example use case:&nbsp;
Someone tries to access /admin on a site (maybe /admin doesn't even exist but the fact they are looking for it I just want to stop them from doing anything else) and the irule would add their address to the blacklist to shun them for a period of time.&nbsp;

james_betts_290 · Answer

What this user is trying to do is something I think F5 should address. I had the ability to dynamically block IP addresses based on behavior all the way back in 2000 using CheckPoint and ISS RealSecure. There are behaviors that are inexcusable that ASM and AFM would be hard-pressed to detect; the ability to easily black-list malefactor IPs would be a huge asset. Once an attacker is blocked from doing anything at all with your site, they will usually move on to greener pastures.

yann_desmarest · Answer

Hi,
You can try with the following example, not perfect but I think can be a good start for your need : 
when RULE_INIT {
    set static::irule_name     "irule-blackhole"
    set static::log_server     ""
    set static::log_pri        "local0."
    set static::fail_tab       "fails"
    set static::blacklist_tab  "blackhole"
    set static::max_failures   5
    set static::fail_memory    300
    set static::block_duration 300
}

when CLIENT_ACCEPTED {
    if {[table lookup -subtable $static::blacklist_tab [IP::client_addr]] == 1} {
         Block source IPs exceeding the number of failed logons in the timeout period
        log $static::log_pri "[virtual] - BLACKHOLED IPADDR [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])"
        reject
        return
    }
}

when HTTP_REQUEST {

if {[table lookup -subtable $static::blacklist_tab [IP::client_addr]] == 1} {
         Block source IPs exceeding the number of failed logons in the timeout period
        log $static::log_pri "[virtual] - BLACKHOLED IPADDR [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])"
        reject
        return
    }

if { [HTTP::path] eq "/admin" } {
            table set -subtable $static::fail_tab -notouch -excl [IP::client_addr] 0 indef $static::fail_memory
            table incr -subtable $static::fail_tab [IP::client_addr]

if {[table lookup -subtable $static::fail_tab [IP::client_addr]] &gt;= $static::max_failures} {
                set now [clock seconds]
                set now_date [split [clock format $now -format {%X %x}] " "]

set later [expr {$now + $static::block_duration}]
                set later_date [split [clock format $later -format {%X %x}] " "]

log $static::log_pri "[virtual] - BLACKHOLING IPADDR - [IP::client_addr] (Reputation=[IP::reputation [IP::client_addr]]) at $now_date until $later_date"
                table set -subtable $static::blacklist_tab -excl [IP::client_addr] 1 indef $static::block_duration
            }
    }
}

yann_desmarest_ · Answer

Hi,
You can try with the following example, not perfect but I think can be a good start for your need : 
when RULE_INIT {
    set static::irule_name     "irule-blackhole"
    set static::log_server     ""
    set static::log_pri        "local0."
    set static::fail_tab       "fails"
    set static::blacklist_tab  "blackhole"
    set static::max_failures   5
    set static::fail_memory    300
    set static::block_duration 300
}

when CLIENT_ACCEPTED {
    if {[table lookup -subtable $static::blacklist_tab [IP::client_addr]] == 1} {
         Block source IPs exceeding the number of failed logons in the timeout period
        log $static::log_pri "[virtual] - BLACKHOLED IPADDR [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])"
        reject
        return
    }
}

when HTTP_REQUEST {

if {[table lookup -subtable $static::blacklist_tab [IP::client_addr]] == 1} {
         Block source IPs exceeding the number of failed logons in the timeout period
        log $static::log_pri "[virtual] - BLACKHOLED IPADDR [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])"
        reject
        return
    }

if { [HTTP::path] eq "/admin" } {
            table set -subtable $static::fail_tab -notouch -excl [IP::client_addr] 0 indef $static::fail_memory
            table incr -subtable $static::fail_tab [IP::client_addr]

if {[table lookup -subtable $static::fail_tab [IP::client_addr]] &gt;= $static::max_failures} {
                set now [clock seconds]
                set now_date [split [clock format $now -format {%X %x}] " "]

set later [expr {$now + $static::block_duration}]
                set later_date [split [clock format $later -format {%X %x}] " "]

log $static::log_pri "[virtual] - BLACKHOLING IPADDR - [IP::client_addr] (Reputation=[IP::reputation [IP::client_addr]]) at $now_date until $later_date"
                table set -subtable $static::blacklist_tab -excl [IP::client_addr] 1 indef $static::block_duration
            }
    }
}

yann_desmarest_ · Answer

Hi, Did you had a chance to test this irule ?

yann_desmarest · Answer

Hi, Did you had a chance to test this irule ?

Forum Discussion

iRule to add IP to blacklist/feed

5 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

2026 301a exam

F5OS login with admin/root failed via console

UCS Encryption Question

Unblock Request WAF

Related Content

NGINX App Protect Data Plane Add-on in Kubernetes

Add SameSite attribute to APM Cookies

TMSH command to add irule

iRules Style Guide

SIEM news! F5 Distributed Cloud’s remote logging adds IBM’s QRadar

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS