Request Blocking By Source IP

Hi,

If I understand you correctly, usually you have a header XFF that identify you behind a proxy.

So when you set a HTTP profile that accept that XFF header, the DOS profile detection will work on this IP instead of the IP connected to the VS. This way, the RST packet would sent when the malicious XFF IP make requests, preventing to reset all connections from other IP addresses. This setup needs to AVR be provisioned.

I have this trick on vs setup bellow a CDN proxy.

For security, I think is good to customize an alternative name to XFF when just BIG-IP and proxy/CDN know that name to prevent an attacker to impersonate IP addresses on that header.

Regards.

https://support.f5.com/csp/article/K40243113

Accept XFF

Enables or disables trusting the client IP, and statistics from the client IP address, based on the request's X-Forwarded-For (XFF) headers, if they exist.

Note: This option has an effect only when you use either AVR or ASM L7 DoS profile (ASM required). For AVR, the Accept XFF option allows the BIG-IP system to trust and take into consideration IP addresses from the X-Forwarded-For header for statistics purposes. For an L7 DoS profile, the Accept XFF option allows the BIG-IP system to take action based on IP addresses from the X-Forwarded-For header that match, for example, an Access List.