Unexpected traffic on F5 unable to block

Question

We are currently receiving over 1 million active connections through our F5 from an unknown source and are trying to create an iRule or similar to block. Usually, we have 19 connections.&nbsp;
F5 Version: BIG-IP 9.4.8 Build 355.0 Final&nbsp;
From console command: bigpipe conn show all&nbsp;
VIRTUAL any:any &lt;-&gt; NODE 203.116.13.197:http   TYPE local
    CLIENTSIDE 100.101.24.93:26282 &lt;-&gt; 203.116.13.197:http
        (pkts,bits) in = (1, 62)   out = (0, 0)&nbsp;
Would anyone be able to provide an example of how to block the traffic from 203.116.13.197? This address is persistent for all of the traffic.&nbsp;
Thank you.&nbsp;

only1masterbla1 · Answer

You can use iRule (examples below)  or apply packet filters (under Networks) to drop packets. My preference would be for packet filter.&nbsp;
irule Examples:&nbsp;
Access Control Based On Network or Host
https://devcentral.f5.com/codeshare?sid=28&nbsp;
Access Control Based on IP
https://devcentral.f5.com/codeshare?sid=27&nbsp;

only1masterbla1 · Answer

You may use iRule like this:&nbsp;
when CLIENT_ACCEPTED {
   if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
     drop
     log local0. "connection dropped from [IP::client_addr]"
  } 
}&nbsp;
All address definitions are here for your reference:
https://devcentral.f5.com/wiki/iRules.IP.ashx&nbsp;

Forum Discussion

Unexpected traffic on F5 unable to block

Recent Discussions

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

XC Bot defense question

Related Content

Traffic Policy to Split Content Between IIS Server and Cloud Provider - unexpected behavior

Understanding Performance Metrics and Network Traffic

Unable to access GUI

Unable to update device cert

fellow traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS