Forum Discussion
Eireann78_19953
Nimbostratus
NimbostratusPrevent Data Mining ASM and LTM
Hey,
We will be soon releasing some new apps on our website pulling data from a content management system. A worry we have is that the content could be trawled and copied by some automated bot.
Can the ASM determine that something illegitimate (which would generally be anything not googlebot, yahoo, msn etc) is crawling our site based on rate, maybe using url +1 type logic that could stop this activity occurring (even if a botnet is used or spoofed ip / proxy etc) without harming legitimate traffic.
Secondly as we want to use the web accelerator product so may have to go without the ASM for a while until version 10 is released is there functionality in the LTM that can prevent this some type of iRule or class profile.
Sorry maybe this info is out there already I had a quick search on the forum and a read through the ASM config guide but didn't come across anything.
Thanks
8 Replies
hoolioCirrostratus
Hi,
I don't know of any DOS protection at the HTTP layer in ASM. If you can map out the logic for how to determine one or more clients is attacking the application, you could potentially write an iRule to detect and protect against the attack. I'm not sure how easy it would be to detect a distributed DOS attack though. Logically what are you thinking you'd like to look for?
This might be a good request for enhancement. If you want F5 to consider adding this type of functionality, you could open a case with F5 Support requesting it.
Aaron
Don_22992Don't many of those bots show up as unique agents in the header? I suspect that information could be used to block such undesirable browsing.
zaferHi hoolio,
i think ASM need integration with some irule features like request throlling.
the other vendors automaticly implement their product transparently and protect these type attack and no hard configuration,
the customers request these type product in my region,
if the asm integrate anomaly based attack for detection some request and automatic blocking
it will be great
zafer- hoolioHi Zafer,
Those are valid suggestions that I'm sure F5's ASM product management would like to hear. to make this request formally, you can open a case with F5 Support and provide as much detail as possible on what improvements you'd like to see in ASM and examples of competitive product features.
Aaron 
strongarm_46960You could probably write an iRule to display a CAPTCHA file every 15 minutes to the HTTP originator whenever requests reaches 50 request per second from a particular IP address, users coming from proxies will just have to complete a simple form. if the form is not filled the request gets 30x redirected > /dev/null- darraghk,
The problem you are describing is what we call "web scraping". It is a different problem than L7 DOS, although, sometimes they are related.
Other solutions in the market provide very limited functionality to prevent it, this kind of functionality and much more could be implemented in an iRule.
For example: what you can do is once you identified a session like that (based on an HTTP header/value or or by counting for example the number of requests on a session) route that bot to a different web server using an HTTP class that is sending all the traffic to a different destination pool (you can configure a different pool for a class) , the pool's address can be locally or if you want to be bad - externally.... This way you keep the bot busy crawling, but the content it gather is the content that you want it it to get...
Did that bot cause a DOS on your server? if it did, you may want to look at version 10, available for beta.
Cheers,
Ido - Hi,
ASM version 10.1 includes a unique feature that could mitigate that kind of activity.
I highly recommend you to try it.
Cheers,
Ido - hoolioThat begs the question of when will 10.1 be released? :D
Aaron
