Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Detect and block HTTP/S related attacks using WAF

sim2022
Nimbostratus
Nimbostratus

‎10-Jul-2023 04:28

Hi All

How can I use Big IP F5 to detect and block bulk HTTP requests to my website, which specific module and rule can be leveraged from Big IP WAF?
Also, how can the Big IP WAF be leveraged to block slow loris attacks? is there any out-of-the-box rule that we can leverage and customize?

Thanks & Regards

SAM

Labels:
0 Kudos
4 REPLIES 4

whisperer
Cumulonimbus
Cumulonimbus

‎10-Jul-2023 05:26

So, first I would take a look at this good writeup available on DevCentral:

https://community.f5.com/t5/codeshare/asm-waf-rate-limit-and-block-clients-by-source-ip-or-device-id...

Also, take a look here and search for "Web Applications". It will tell you how to setup DDoS protection for HTTP and HTTPS:

https://techdocs.f5.com/kb/en-us/products/ddos-hybrid-defender/manuals/product/f5-herculon-ddos-hybr...

Mohamed_Ahmed_Kansoh
MVP
MVP

‎10-Jul-2023 05:47

Hi @sim2022 , 

Do you mean DoS attacks ? 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Nikoolayy1
MVP
MVP

‎10-Jul-2023 21:48 - edited ‎10-Jul-2023 21:54

For DOS attacks you better use DOS and BOT protection profiles as most DOS attacks come from Bots, so the Bot profile will block the Bots and the DOS profile will stop the DOS attack if the Bot profile did not manage to handle the Bot detections or the DOS attack commes from human farms that do DOS attacks. Better use the DOS profile with latency detection as it generates less false positives.

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/preventing-dos-attacks-...

https://my.f5.com/manage/s/article/K42323285

 

For slow loris just use HTTP profile on the VIP as F5 has native protection for such attacks https://my.f5.com/manage/s/article/K10260

 

For blocking attackers that use scanners and generate many web attacks review the session tracking option in the AWAF that can block user ip addresses or device ID if they generate too many violations:

https://my.f5.com/manage/s/article/K02212345

 

I suggest to read the F5 AWAF operations to be able to effectively utilize the F5 WAF options:

https://my.f5.com/manage/s/article/K85426947

 

LiefZimmerman
Community Manager
Community Manager

‎14-Jul-2023 08:07

@sim2022,
If your issue was resolved please choose Accept As Solution on one (or more) replies.

This helps other members find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief

Copyright © 2023 Khoros, LLC