Forum Discussion

eranati's avatar
eranati
Icon for Nimbostratus rankNimbostratus
Nov 26, 2019

Request Blocking By Source IP

Hi,

I have a question about request blocking by source IP in TPS-based detection and stress-based detection.

How is the IP blocked by the ASM? Is that by responding with a response code 4xx to all his requests? By resetting the connection with him by sending a RST packet? Or something else?

Thanks.

  • Hi,

     

    If I understand you correctly, usually you have a header XFF that identify you behind a proxy.

    So when you set a HTTP profile that accept that XFF header, the DOS profile detection will work on this IP instead of the IP connected to the VS. This way, the RST packet would sent when the malicious XFF IP make requests, preventing to reset all connections from other IP addresses. This setup needs to AVR be provisioned.

    I have this trick on vs setup bellow a CDN proxy.

    For security, I think is good to customize an alternative name to XFF when just BIG-IP and proxy/CDN know that name to prevent an attacker to impersonate IP addresses on that header.

     

    Regards.

     

    https://support.f5.com/csp/article/K40243113

     

    Accept XFF

     

    Enables or disables trusting the client IP, and statistics from the client IP address, based on the request's X-Forwarded-For (XFF) headers, if they exist.

    Note: This option has an effect only when you use either AVR or ASM L7 DoS profile (ASM required). For AVR, the Accept XFF option allows the BIG-IP system to trust and take into consideration IP addresses from the X-Forwarded-For header for statistics purposes. For an L7 DoS profile, the Accept XFF option allows the BIG-IP system to take action based on IP addresses from the X-Forwarded-For header that match, for example, an Access List.