Block IP after a number of ASM Blocks

Problem this snippet solves: There is no reason to let Attacker hand over all information at once. How to use this snippet: Add the iRule to the virtual Server and activate iRule after ASM Blo...
Published Apr 20, 2021
Version 1.0
ASM Advanced WAF
BIG-IP
iRules
Security
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Oct 08, 2022

Nice! You can also do this as ASM_REQUEST_DONE that is triggered even before ASM_REQUEST_BLOCKING (this way some CPU may be saved) with an if statement to check if after the request is seen by the ASM if there is a violation (  [ASM::status] equals "blocked" ) and then to check the table as I have done this for a DOS attack.

In some cases if there is a XFF (X-Forwarded-For) better use it as the client's real source ip check as I have in my irule:

https://community.f5.com/t5/codeshare/asm-waf-rate-limit-and-block-clients-by-source-ip-or-device-id/ta-p/291471