application attack different source ips
1 TopicApplication attack from different source IPs
Hello everyone, Can anyone help me in a scenario where we currently have an externally exposed API we are constantly receiving requests from thousands of different ip's, in a scenario that the normal are 1000 requests we now have more than 25000, what happens is that 1 request is made through these multiple ip's, from multiple regions and are distributed between the period of 1 to 10 min basically they are simulating a normal user but the response for them is always the error 400, this kind of requests are not identified as malicious even by Microsoft Threat Intelligence feed, talos or our f5 wafs, we are reviewing some of our wafs solutions we saw cookie based ddos protection, but since they are REST API's there are no cookies, so it doesn't apply, we also thought about captcha but that will have implications on the API functionalities. Is it possible to do some kind of mitigation through irules likecreate a table with a log that when it detects several 400 errors from one source ip adds it to a blacklist or any other kind of solution? We currently have version 13.1.3.4 thank you all.Solved1.4KViews0likes1Comment