Forum Discussion

Jason_Chapman_3's avatar
Jason_Chapman_3
Icon for Nimbostratus rankNimbostratus
Feb 18, 2014

Raise ASM violation based on return JSON element value

I have a strange requirement to be able to shun (block connections from a source IP) for a fixed time period based on the number of times a certain value is returned to a JSON request (a return value...
application delivery
ASM Advanced WAF
devops
iRules
LTM
security
ltwagnon's avatar
ltwagnon
Ret. Employee
May 06, 2014

I haven't tackled a similar problem, but you could try attacking this one with an iRule. A while back, Jason Rahm created an iRule that does something similar to the idea that you are describing. Granted, Jason's iRule was targeted at defeating an SSL Renegotiation attack, but the logic is very similar. 

if client attempts renegotiation more than 5 times in one minute, silently drop the connection

Here's a link to an article that outlines the iRule and logic behind it: https://devcentral.f5.com/articles/ssl-renegotiation-dos-attack-ndash-an-irule-countermeasure.U2lNxCjmqZc

I'm thinking you could do something similar. 

if IP address returns resultCode"666" > 10 times in 5 minutes, block the IP for x minutes

We could help with iRule syntax if you wanted to go this route.