Forum Discussion
Hi RockBD,
I agree with , check if these IP addresses aren't some real internal systems that are misconfigured. Maybe you application is an API or something like a reporting service and some systems are configured to query it regularly?
Second, IP addresses can be spoofed. The Wikipedia article on IP address spoofing will explain you what that is. If this is a DDoS attack, attackers usually retool and use different source IP addresses throughout the attack. They do this in order to bypass rate limiting or blocking. Also, if those are real internal IPs, you might block benign traffic / users from accessing your application.
Check with your network team is running an update version of BIG-IP and you have a ASM/AdvWAF license, they can use techniques such as client fingerprinting.
Take a look here: K19556739: Overview of BIG-IP ASM client fingerprinting
This should give you some understanding how the BIG-IP will identify devices (attackers) with more advanced techniques than "block by source IP".
Also read this devcentral article: What is Shape Security?
It will give you a better understand of the whole concept behind identifying attackers properly.
Best of luck
Daniel
can you please guide me how to block DDoS attack on Big-IP? I don't know which article will be more appopriate for blocking DDoS. Is the following is the possible way to protect DDoS in F5 big-IP
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/preventing-dos-attacks-on-applications.html
- Daniel_WolfMay 04, 2021MVP
Look, there is not a one size fits all solution for DDoS. It much depends on the BIG-IP device you have, the TMOS version you run, the license you own and the kind of attack you see.
From the link you have shared, I would configure Behavioral & Stress-based Detection only. Do not combine Behavioral & Stress-based Detection with TPS-based detection.
Additionally I would add a Bot Defense Profile. https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/configuring-bot-defense.html