Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

F5 ASM | count violation

Abed_AL-R
Cirrostratus
Cirrostratus

Hi

 

We receive a lot of traffic try to scan our website

We enabled ip intelligence but the thing is it is not blocking all ip addresses, it relay on one external db called "vector.brightcloud.com"

There is some ip addresses is not getting blocked and they're not in the F5IpRep.dat

 

is it possible to create an irule that does the following:

If client ip address did X number of violation in X minutes then reset his connections

for example 20 violations in 30 minutes from same source ip then block, or maybe put the ip address in specific datagroup using icall or something ...

 

Has anyone tried to accomplish this task?

1 ACCEPTED SOLUTION

Hi Abed AL-R,

 

You can use session tracking.

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html

0691T00000BGIoZQAX.pngResult after X violations in the last Y seconds:

0691T00000BGIoyQAH.png0691T00000BGIooQAH.png0691T00000BGIpDQAX.png

View solution in original post

4 REPLIES 4

Hi Abed AL-R,

 

You can use session tracking.

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html

0691T00000BGIoZQAX.pngResult after X violations in the last Y seconds:

0691T00000BGIoyQAH.png0691T00000BGIooQAH.png0691T00000BGIpDQAX.png

Abed_AL-R
Cirrostratus
Cirrostratus

Thanks great

I will check that

Thanks

Abed_AL-R
Cirrostratus
Cirrostratus

Can this feature "Violation Detection Actions" work with XFF (if xff header is available)?

is it possible to configure in this feature to block xff header client ip and not the source ip ?

because sometimes source ip hides many users behind it

 

When Trust XFF Header option enabled, it blocks xff header value.

 

"Beginning in BIG-IP ASM 10.1.0, you can instruct the BIG-IP ASM system to trust the X-Forwarded-For header and use the IP address information in the HTTP header instead of the source IP of the packet if the BIG-IP ASM system is deployed behind an internal or other trusted proxy. You can enable this feature in the Configuration utility by selecting the Trust XFF Header check box in the security policy properties advanced configuration settings."

 

REF: https://support.f5.com/csp/article/K12264