F5 ASM | count violation
Hi
We receive a lot of traffic try to scan our website
We enabled ip intelligence but the thing is it is not blocking all ip addresses, it relay on one external db called "vector.brightcloud.com"
There is some ip addresses is not getting blocked and they're not in the F5IpRep.dat
is it possible to create an irule that does the following:
If client ip address did X number of violation in X minutes then reset his connections
for example 20 violations in 30 minutes from same source ip then block, or maybe put the ip address in specific datagroup using icall or something ...
Has anyone tried to accomplish this task?
Hi Abed AL-R,
You can use session tracking.
https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html
Result after X violations in the last Y seconds: