Forum Discussion
URI-based Blocking vs. IP-based Ban in irules
Hi mervesassmaz
While iRules are powerful I do think AWAF + Bot protection is better suited for this type of protection. The contact-us endpoint is likely more prone to injection type, spam and abuse attacks and less likely from brute-force as its not accepting logins etc. Within iRules you can implement rate limiting but you would need the table command to keep track of IP's, this could get costly memory wise especially if your getting spammed by hundreds/thousands of source IP's. Also you will have to clear entries to protect the BIG-IP memory and not have a table size growing exponentially. Using an iRule solely to handle protections and false positives is not optimal (IMO). I'd be curious to hear what others think.
I think XC Bot Defense is the state of the art solution for this kind of attack. It can be deployed either as a Service or hybrid with BIG-IP (YT: F5 Distributed Cloud Bot Defense with Native Integration).
The Bot Defense that comes with BIG-IP AWAF has it's limitations with modern attacks. The signature-based approach will fend off script kiddies, the JS injection approach doesn't work well with some modern applications/frameworks.
Solely IP-based blocking is dead. Serious attackers will change IP addresses faster than I can say "F5". Geo-Location blocking is still effective, but I would only use it proactively, while under attack. Not all the time.
- Jeff_GranieriJun 09, 2026
Employee
Agree Daniel, I didn't bring XC to this conversation specifically because the conversation started with iRules(BIG-IP). 100% XC Bot Defense is best suited for this and even AI enabled WAF in XC 🙂
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com