Forum Discussion
MistURI-based Blocking vs. IP-based Ban in irules
I’m currently working on a security implementation using F5 BIG-IP iRules to mitigate malicious activity targeting a specific URI /contact-us on our web application. I’m debating the best approach regarding scope and impact, and I would love to hear your insights or "lessons learned" from your own deployments. We are protecting a specific endpoint from anomalous requests potential injection/brute force attempts. My primary goal is to ensure the security of this endpoint without causing unnecessary disruption to legitimate users or creating a management overhead. When we detect an anomaly, should we stick to URI-level blocking dropping/rejecting only that specific request or move to IP-based banning adding the source IP to a table for a set duration? What are your recommended strategies for handling false positives when using iRules ?
1 Reply
- Jeff_Granieri
Employee
Hi mervesassmaz
While iRules are powerful I do think AWAF + Bot protection is better suited for this type of protection. The contact-us endpoint is likely more prone to injection type, spam and abuse attacks and less likely from brute-force as its not accepting logins etc. Within iRules you can implement rate limiting but you would need the table command to keep track of IP's, this could get costly memory wise especially if your getting spammed by hundreds/thousands of source IP's. Also you will have to clear entries to protect the BIG-IP memory and not have a table size growing exponentially. Using an iRule solely to handle protections and false positives is not optimal (IMO). I'd be curious to hear what others think.
