Forum Discussion

mervesassmaz's avatar
mervesassmaz
Icon for Nimbostratus rankNimbostratus
Jun 08, 2026

URI-based Blocking vs. IP-based Ban in irules

I’m currently working on a security implementation using F5 BIG-IP iRules to mitigate malicious activity targeting a specific URI /contact-us on our web application. I’m debating the best approach regarding scope and impact, and I would love to hear your insights or "lessons learned" from your own deployments. We are protecting a specific endpoint from anomalous requests potential injection/brute force attempts. My primary goal is to ensure the security of this endpoint without causing unnecessary disruption to legitimate users or creating a management overhead. When we detect an anomaly, should we stick to URI-level blocking dropping/rejecting only that specific request or move to IP-based banning adding the source IP to a table for a set duration? What are your recommended strategies for handling false positives when using iRules ?

 

8 Replies

  • Hi mervesassmaz​ 

    While iRules are powerful I do think AWAF + Bot protection is better suited for this type of protection.  The contact-us endpoint is likely more prone to injection type, spam and abuse  attacks and less likely from brute-force as its not accepting logins etc.   Within iRules you can implement rate limiting but you would need the table command to keep track of IP's, this could get costly memory wise especially if your getting spammed by hundreds/thousands of source IP's.  Also you will have to clear entries to protect the BIG-IP memory and not have a table size growing exponentially.  Using an iRule solely  to handle protections and  false positives is not optimal (IMO).  I'd be curious to hear what others think.

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP

      Also IP intelligence/reputation will be a nice addition to this.

      • Juergen_Mang's avatar
        Juergen_Mang
        Icon for MVP rankMVP

        I always find threat campaigns more useful than IPI, but this is another topic.

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP

      I think XC Bot Defense is the state of the art solution for this kind of attack. It can be deployed either as a Service or hybrid with BIG-IP (YT: F5 Distributed Cloud Bot Defense with Native Integration).
      The Bot Defense that comes with BIG-IP AWAF has it's limitations with modern attacks. The signature-based approach will fend off script kiddies, the JS injection approach doesn't work well with some modern applications/frameworks.
      Solely IP-based blocking is dead. Serious attackers will change IP addresses faster than I can say "F5". Geo-Location blocking is still effective, but I would only use it proactively, while under attack. Not all the time.

      • Jeff_Granieri's avatar
        Jeff_Granieri
        Icon for Employee rankEmployee

        Agree Daniel,  I didn't bring XC to this conversation specifically because the conversation started with iRules(BIG-IP).  100% XC Bot Defense is best suited for this and even AI enabled WAF in XC 🙂  

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      I agree with everyone else on this, going with an iRule as the solution here isn't the best option.

  • For simple rate-limiting implementations for dedicated URL's a iRule implementation can work like a charm.

    For a broader, more sophisticated protection use the local AWAF implementation or XC. 

  • ip based blocking might block legitimate users because most isp use nat.

    around 2 years ago i even couldnt access devcentral because f5.com's ip reputation blocked my isp's ip block