Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Oct 13, 2022
Solved

Why does the Local Traffic policy allow Bot profile to be selected but the iRule can't ?

When I attach DOS and BOT profiles with local traffic policy or iRule I always need a default BOT and DOS profile even when I have a default rule that catches all the traffic. That is one thing but the strangest thing is when I decide to attach a Bot profile with iRule it does not work but the Local traffic policies allow this.

 

I will need to test this but is really strange. This is the first time something is only possible with Local Traffic Policies but I will have to test if it works 🙂

 

 

 

 

 

 

bot
ddos
dos
security
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Oct 13, 2022

    Two things:

    • You need to have a profile applied to a VIP to engage that HUD filter. From there you can programmatically enable/disable the profile.
    • The error in the iRule indicates that BOTDEFENSE::enable doesn't take an extra parameter. It just enables the attached BD profile. An LTM policy can uniquely select and apply a BD profile.

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 13, 2022

    Two things:

    • You need to have a profile applied to a VIP to engage that HUD filter. From there you can programmatically enable/disable the profile.
    • The error in the iRule indicates that BOTDEFENSE::enable doesn't take an extra parameter. It just enables the attached BD profile. An LTM policy can uniquely select and apply a BD profile.
    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Oct 14, 2022

      Kevin  to the rescue. Thanks and I tested it and it works fine. The bot defence has better whitelist based on url and/or Ip address not just ip address as the DOS profile but to stop a specific protection for API traffic based on HTTP header like Browser valudation and Device ID was not possible and started doing the irule below but the one that unblocks the client side challenge and it is suggested at  https://clouddocs.f5.com/api/irules/BOTDEFENSE__cs_possible.html   is wrong for me (the one irulefor deviceid is ok) as if the API traffic can't reply to javascript and this irule will not block it but this will also unblock it for every bot violation that will trigger TCP RST if I am not wrong or maybe as the other Bot violations returns support id web page maybe they will not match the tcp_rst.

       

      Still thanks again!

       

      https://clouddocs.f5.com/api/irules/BOTDEFENSE__cs_possible.html

      https://clouddocs.f5.com/api/irules/BOTDEFENSE__cs_attribute.html

       

       

      # EXAMPLE: Prevent blocking of requests that cannot be responded with a
 # client-side challenge.
 when BOTDEFENSE_ACTION {
     if {    ([BOTDEFENSE::action] eq "tcp_rst") &&
             (not [BOTDEFENSE::cs_possible])} {
         BOTDEFENSE::action allow
     }
 
       when BOTDEFENSE_REQUEST {
     BOTDEFENSE::cs_attribute device_id enable
 }