Block IP after a number of ASM Blocks
Published Apr 20, 2021
Version 1.0Was this article helpful?
Nice! You can also do this as ASM_REQUEST_DONE that is triggered even before ASM_REQUEST_BLOCKING (this way some CPU may be saved) with an if statement to check if after the request is seen by the ASM if there is a violation ( [ASM::status] equals "blocked" ) and then to check the table as I have done this for a DOS attack.
In some cases if there is a XFF (X-Forwarded-For) better use it as the client's real source ip check as I have in my irule: