Forum Discussion

Nimbostratus

Jul 13, 2018

Block Brute Force Attack

Hi All, Need some suggestion. Can anyway we can allow only x amount of connections from the same IP address at a time for a VIP. VIP config: ltm virtual XXXXX-22 { destination X.X.X....

Cumulonimbus

Jul 13, 2018

You would need to use an iRule and session/tables to store client IP addresses, then every time a new connection takes place look up the IPs in the table, if it exists then close the new connection down. When a connection closes you would need to make sure you removed it from the table.

This would only slow a brute force attack down if someone is always using the same source address not if someone has a way of connecting using multiple IP addresses. And this also could block valid traffic as multiple users connecting from behind the same NATed private network and so would share a common IP address seen by the F5 as the source address.

Assuming this is for a SSH connection it would be better to get the backend system to lock accounts after a set number of failed login attempts and even look if a user can be limited to a single authenticated session.

Forum Discussion

Block Brute Force Attack

Recent Discussions

Enterprise Security best practices with F5 WAF

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

Related Content

iRule for Brute Force Password Guessing Attacks

AWAF version 15.1.8.1 does not support Brute Force as one of the attacks for Delayed Blocking

The HTTP/2 CONTINUATION frame attack

HTTP Brute Force Mitigation Playbook: BIG-IP LTM Mitigation Options for HTTP Brute Force Attacks - Chapter 3

Brute Force protection for single parameter like OTP