Block attacker address for a period of time

Hello Nor,

Do you use ASM ?

regards

Yes dear youssef ASM + LTM

Hi Nor,

You can try this:

when HTTP_REQUEST {

foreach client_addr [table keys -subtable "temp_blocage"] {
    set curtime [clock seconds]
    set formated_time_second [clock scan $curtime]
    set violation [table lookup -notouch -subtable  temp_blocage $client_addr]

    if { [IP::addr [IP::client_addr] equals $client_addr] } {
    HTTP::respond 200 content "you are temporarily blocked"
    log local0. "user with IP : $client_addr was blocked because it is done previously blocked for the following reason:  $violation"
    return
}
}

}

when ASM_REQUEST_BLOCKING { 

set violation [ASM::violation_data]
set client_addr [IP::client_addr]

for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }

}}
table delete -subtable temp_blocage $client_addr
table set -subtable temp_blocage $client_addr  $violation 300

}

For information, i don't test this irule but it will work. maybe you have to finetune it.

So this irule block your access to application during 300s if you trigged a violation before. You can update this irule by adding additional condition for a specific violoation for example.

keep me in touch if you need more details or help to update this irule.

regards,

Didn't work with me