How to block source IP (which is hidden in pvt ip) in F5 Big-IP.

Hi RockBD,

I think it's a tricky one to give a simple answer to, but here's my two cents on how I would investigate;

• See if you (or whoever looks after the BigIP) can find out what interface the traffic comes in on. (is it coming from internet facing interface, is it coming from internal interfaces?)
• Once you know that, discuss if you SHOULD receive those IP ranges from that interface? (for example, you should never receive any of those private ranges from the outside world). If those interfaces should not receive this, the F5 can set up a packet filter (Via Network - Packet Filters) to block any private IP's from those interfaces.
• If yes, investigate if the traffic isn't acidentally coming from internal somewhere - maybe someone has misconfigured some systems, or some tests running? Possibly you can still put some partial packet filters in place to limit the attack at least for now.
• If the traffic is coming from somewhere further upstream that is then hiding it behind a private IP, see if that device can inject a HTTP XFF header, so that the F5 can read the XFF header, rather than the internal IP. The F5 can then block traffic based on the original IP again.
• For a proper solution, in case it is a real DoS attack that doesn't stop and changes between IP's etc, I'd recommend looking into AFM for network-level DoS protection and AdvWAF for application-level DoS protection. Their DoS profiles can take a lot of the guesswork out of dealing with this, and are great at stopping these attacks before they do any damage.

Hope this helps.

Hi RockBD,

I agree with , check if these IP addresses aren't some real internal systems that are misconfigured. Maybe you application is an API or something like a reporting service and some systems are configured to query it regularly?

Second, IP addresses can be spoofed. The Wikipedia article on IP address spoofing will explain you what that is. If this is a DDoS attack, attackers usually retool and use different source IP addresses throughout the attack. They do this in order to bypass rate limiting or blocking. Also, if those are real internal IPs, you might block benign traffic / users from accessing your application.

Check with your network team is running an update version of BIG-IP and you have a ASM/AdvWAF license, they can use techniques such as client fingerprinting.

Take a look here: K19556739: Overview of BIG-IP ASM client fingerprinting

This should give you some understanding how the BIG-IP will identify devices (attackers) with more advanced techniques than "block by source IP".

Also read this devcentral article: What is Shape Security?

It will give you a better understand of the whole concept behind identifying attackers properly.

Best of luck

Daniel