cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Application attack from different source IPs

WaterSoup
Nimbostratus
Nimbostratus

Hello everyone,

Can anyone help me in a scenario where we currently have an externally exposed API we are constantly receiving requests from thousands of different ip's, in a scenario that the normal are 1000 requests we now have more than 25000, what happens is that 1 request is made through these multiple ip's, from multiple regions and are distributed between the period of 1 to 10 min basically they are simulating a normal user but the response for them is always the error 400, this kind of requests are not identified as malicious even by Microsoft Threat Intelligence feed, talos or our f5 wafs, we are reviewing some of our wafs solutions we saw cookie based ddos protection, but since they are REST API's there are no cookies, so it doesn't apply, we also thought about captcha but that will have implications on the API functionalities.
Is it possible to do some kind of mitigation through irules like create a table with a log that when it detects several 400 errors from one source ip adds it to a blacklist or any other kind of solution?


We currently have version 13.1.3.4

thank you all.

1 ACCEPTED SOLUTION

Hello @WaterSoup

there are a couple of possible mitigations:

  • IP Intelligence Subscription - will protect you from known bad actor IP addresses.
  • Bot Defense - offers multiple ways of discovering and mitigating bots.
  • Behavioral DoS (L7 DoS) Protection - offers a ML approach to mitigatie Layer 7 DDoS attacks.
  • API Protection with APM - helps you to easily configure rate-limiting and add authentication to your API.

Before you apply any of these, please update to BIG-IP 14.1 (appliance) or 15.1 (VE). See K54845583: F5 Support recommendations for selecting your next version of BIG-IP or BIG-IQ, there it says:
"At a minimum, F5 recommends that you upgrade your BIG-IP appliances to at least BIG-IP 14.1 and your BIG-IP VEs to at least BIG-IP 15.1."

Also upgrading to 14.1 will allow you to use AWAF. Some of the above mentioned features might not be available in 13.1. Please read this devcentral article regarding the upgrade: From ASM to Advanced WAF: Advancing your Application Security 

If all the above won't help you to mitigate the attacks - contact F5 and ask for Shape.
Or take a look at the latest and greatest from F5:  Web App and API Protection (WAAP) 

KR
Daniel

View solution in original post

1 REPLY 1

Hello @WaterSoup

there are a couple of possible mitigations:

  • IP Intelligence Subscription - will protect you from known bad actor IP addresses.
  • Bot Defense - offers multiple ways of discovering and mitigating bots.
  • Behavioral DoS (L7 DoS) Protection - offers a ML approach to mitigatie Layer 7 DDoS attacks.
  • API Protection with APM - helps you to easily configure rate-limiting and add authentication to your API.

Before you apply any of these, please update to BIG-IP 14.1 (appliance) or 15.1 (VE). See K54845583: F5 Support recommendations for selecting your next version of BIG-IP or BIG-IQ, there it says:
"At a minimum, F5 recommends that you upgrade your BIG-IP appliances to at least BIG-IP 14.1 and your BIG-IP VEs to at least BIG-IP 15.1."

Also upgrading to 14.1 will allow you to use AWAF. Some of the above mentioned features might not be available in 13.1. Please read this devcentral article regarding the upgrade: From ASM to Advanced WAF: Advancing your Application Security 

If all the above won't help you to mitigate the attacks - contact F5 and ask for Shape.
Or take a look at the latest and greatest from F5:  Web App and API Protection (WAAP) 

KR
Daniel