Forum Discussion
URI-based Blocking vs. IP-based Ban in irules
I’m currently working on a security implementation using F5 BIG-IP iRules to mitigate malicious activity targeting a specific URI /contact-us on our web application. I’m debating the best approach regarding scope and impact, and I would love to hear your insights or "lessons learned" from your own deployments. We are protecting a specific endpoint from anomalous requests potential injection/brute force attempts. My primary goal is to ensure the security of this endpoint without causing unnecessary disruption to legitimate users or creating a management overhead. When we detect an anomaly, should we stick to URI-level blocking dropping/rejecting only that specific request or move to IP-based banning adding the source IP to a table for a set duration? What are your recommended strategies for handling false positives when using iRules ?
8 Replies
- Jeff_Granieri
Employee
Hi mervesassmaz
While iRules are powerful I do think AWAF + Bot protection is better suited for this type of protection. The contact-us endpoint is likely more prone to injection type, spam and abuse attacks and less likely from brute-force as its not accepting logins etc. Within iRules you can implement rate limiting but you would need the table command to keep track of IP's, this could get costly memory wise especially if your getting spammed by hundreds/thousands of source IP's. Also you will have to clear entries to protect the BIG-IP memory and not have a table size growing exponentially. Using an iRule solely to handle protections and false positives is not optimal (IMO). I'd be curious to hear what others think.Also IP intelligence/reputation will be a nice addition to this.
I always find threat campaigns more useful than IPI, but this is another topic.
I think XC Bot Defense is the state of the art solution for this kind of attack. It can be deployed either as a Service or hybrid with BIG-IP (YT: F5 Distributed Cloud Bot Defense with Native Integration).
The Bot Defense that comes with BIG-IP AWAF has it's limitations with modern attacks. The signature-based approach will fend off script kiddies, the JS injection approach doesn't work well with some modern applications/frameworks.
Solely IP-based blocking is dead. Serious attackers will change IP addresses faster than I can say "F5". Geo-Location blocking is still effective, but I would only use it proactively, while under attack. Not all the time.- Jeff_Granieri
Employee
Agree Daniel, I didn't bring XC to this conversation specifically because the conversation started with iRules(BIG-IP). 100% XC Bot Defense is best suited for this and even AI enabled WAF in XC 🙂
I agree with everyone else on this, going with an iRule as the solution here isn't the best option.
For simple rate-limiting implementations for dedicated URL's a iRule implementation can work like a charm.
For a broader, more sophisticated protection use the local AWAF implementation or XC.
ip based blocking might block legitimate users because most isp use nat.
around 2 years ago i even couldnt access devcentral because f5.com's ip reputation blocked my isp's ip block
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com