For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Oct 13, 2022
Solved

Why does the Local Traffic policy allow Bot profile to be selected but the iRule can't ?

When I attach DOS and BOT profiles with local traffic policy or iRule I always need a default BOT and DOS profile even when I have a default rule that catches all the traffic. That is one thing but t...
bot
ddos
dos
security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Oct 13, 2022

    Two things:

    • You need to have a profile applied to a VIP to engage that HUD filter. From there you can programmatically enable/disable the profile.
    • The error in the iRule indicates that BOTDEFENSE::enable doesn't take an extra parameter. It just enables the attached BD profile. An LTM policy can uniquely select and apply a BD profile.
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 13, 2022

Two things:

  • You need to have a profile applied to a VIP to engage that HUD filter. From there you can programmatically enable/disable the profile.
  • The error in the iRule indicates that BOTDEFENSE::enable doesn't take an extra parameter. It just enables the attached BD profile. An LTM policy can uniquely select and apply a BD profile.
  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Oct 14, 2022

    Kevin  to the rescue. Thanks and I tested it and it works fine. The bot defence has better whitelist based on url and/or Ip address not just ip address as the DOS profile but to stop a specific protection for API traffic based on HTTP header like Browser valudation and Device ID was not possible and started doing the irule below but the one that unblocks the client side challenge and it is suggested at  https://clouddocs.f5.com/api/irules/BOTDEFENSE__cs_possible.html   is wrong for me (the one irulefor deviceid is ok) as if the API traffic can't reply to javascript and this irule will not block it but this will also unblock it for every bot violation that will trigger TCP RST if I am not wrong or maybe as the other Bot violations returns support id web page maybe they will not match the tcp_rst.

     

    Still thanks again!

     

    https://clouddocs.f5.com/api/irules/BOTDEFENSE__cs_possible.html

    https://clouddocs.f5.com/api/irules/BOTDEFENSE__cs_attribute.html

     

     

    # EXAMPLE: Prevent blocking of requests that cannot be responded with a
 # client-side challenge.
 when BOTDEFENSE_ACTION {
     if {    ([BOTDEFENSE::action] eq "tcp_rst") &&
             (not [BOTDEFENSE::cs_possible])} {
         BOTDEFENSE::action allow
     }
 
     when BOTDEFENSE_REQUEST {
     BOTDEFENSE::cs_attribute device_id enable
 }