Forum Discussion
AlexBCT
Cumulonimbus
Hi RockBD,
I think it's a tricky one to give a simple answer to, but here's my two cents on how I would investigate;
- See if you (or whoever looks after the BigIP) can find out what interface the traffic comes in on. (is it coming from internet facing interface, is it coming from internal interfaces?)
- Once you know that, discuss if you SHOULD receive those IP ranges from that interface? (for example, you should never receive any of those private ranges from the outside world). If those interfaces should not receive this, the F5 can set up a packet filter (Via Network - Packet Filters) to block any private IP's from those interfaces.
- If yes, investigate if the traffic isn't acidentally coming from internal somewhere - maybe someone has misconfigured some systems, or some tests running? Possibly you can still put some partial packet filters in place to limit the attack at least for now.
- If the traffic is coming from somewhere further upstream that is then hiding it behind a private IP, see if that device can inject a HTTP XFF header, so that the F5 can read the XFF header, rather than the internal IP. The F5 can then block traffic based on the original IP again.
- For a proper solution, in case it is a real DoS attack that doesn't stop and changes between IP's etc, I'd recommend looking into AFM for network-level DoS protection and AdvWAF for application-level DoS protection. Their DoS profiles can take a lot of the guesswork out of dealing with this, and are great at stopping these attacks before they do any damage.
Hope this helps.
RockBD
May 04, 2021Altostratus
Sorry to inform you that most of your technical term didn't understand properly. but when the sys admin impose geo location policy that this site can only view/access with in the native country not around the world then i think the WAF stops the DDoS attack. So i don't think it is not generating form internal IPs.
Can you tell me how to check XFF header. or any other solution.