For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Jun 01, 2016

iRule to add IP to blacklist/feed

Is there an iRule command to add an IP Address to one of the blacklist feeds? Ideally I would like to be able to add an ip address with an irule to the new shun feature/list on AFM so that it would ...
AFM
iRules
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jun 01, 2016

Hi,

You can try with the following example, not perfect but I think can be a good start for your need : 

when RULE_INIT {
    set static::irule_name     "irule-blackhole"
    set static::log_server     ""
    set static::log_pri        "local0."
    set static::fail_tab       "fails"
    set static::blacklist_tab  "blackhole"
    set static::max_failures   5
    set static::fail_memory    300
    set static::block_duration 300
}   

when CLIENT_ACCEPTED {
    if {[table lookup -subtable $static::blacklist_tab [IP::client_addr]] == 1} {
         Block source IPs exceeding the number of failed logons in the timeout period
        log $static::log_pri "[virtual] - BLACKHOLED IPADDR [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])"
        reject
        return
    }
}

when HTTP_REQUEST {

    if {[table lookup -subtable $static::blacklist_tab [IP::client_addr]] == 1} {
         Block source IPs exceeding the number of failed logons in the timeout period
        log $static::log_pri "[virtual] - BLACKHOLED IPADDR [IP::client_addr]:[TCP::client_port] (Reputation=[IP::reputation [IP::client_addr]])"
        reject
        return
    }

    if { [HTTP::path] eq "/admin" } {
            table set -subtable $static::fail_tab -notouch -excl [IP::client_addr] 0 indef $static::fail_memory
            table incr -subtable $static::fail_tab [IP::client_addr]

            if {[table lookup -subtable $static::fail_tab [IP::client_addr]] >= $static::max_failures} {
                set now [clock seconds]
                set now_date [split [clock format $now -format {%X %x}] " "]

                set later [expr {$now + $static::block_duration}]
                set later_date [split [clock format $later -format {%X %x}] " "]

                log $static::log_pri "[virtual] - BLACKHOLING IPADDR - [IP::client_addr] (Reputation=[IP::reputation [IP::client_addr]]) at $now_date until $later_date"
                table set -subtable $static::blacklist_tab -excl [IP::client_addr] 1 indef $static::block_duration
            }
    }
}
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jun 03, 2016
Hi, Did you had a chance to test this irule ?