How to block an attack on basis of x-ms-forwarded-client-ip

Question

Hello Team,&nbsp;
I am looking for assistance to block attack over my application using F5. Unfortunately, all other network points are not an option as we can detect attack using only x-ms-forwarded-client-ip&nbsp;
Application has SSL offloaded on F5 thus F5 has full visibility to the connection. Also, we have ASM in our environment but it is just enabled and not being used for now.&nbsp;
So, our application is facing brute force attack but the source IP is visible only in x-ms-forwarded-client-ip. I need to build some rule within LTM or ASM that may detect a DOS attack is lets say we have 2000 connections from same x-ms-forwarded-client-ip within a second or so.&nbsp;
Is this possible using ASM or any Irule?&nbsp;
Regards,
Anuj&nbsp;

ahmedgalal219_3 · Answer

Under Security you can find DOS Protection create a new dos profile with the specs the meet your needs and implement this profile in VS configuration in security tab - dos protection profile.&nbsp;

ahmedgalal219_3 · Answer

https://www.f5.com/services/resources/white-papers/f5-ddos-protection-recommended-practices-volume&nbsp;
2.3.2.3 Protect Applications with DoS Protection Profiles&nbsp;

youssef1 · Answer

Hi,&nbsp;
In fact you can create an ddos profile and specifiy how to detect attackers and which mitigation to use:
- By Source IP (but in this case the profil don't use an specific header but real ip source)
- By Device ID:&nbsp;
You can try preventing ddos usig device ID, just be carefull because this feature will block requests from clients that do not support JavaScript, even if the security policy is in Transparent mode.&nbsp;
So before trying to set an irule a advise you to use device ID (The device ID is a unique identifier that ASM creates by sending JavaScript to get information about the client device.)&nbsp;
For that Go to ASM then ddos --&gt; Application Security ›› TPS-based DoS Detection&nbsp;
How to detect attackers and which mitigation to use: By Device ID&nbsp;
let me know if it's enough for you ifnot i can help you if an irule is need.&nbsp;
regards&nbsp;

Forum Discussion

How to block an attack on basis of x-ms-forwarded-client-ip

3 Replies

Recent Discussions

ltm policy asm_auto_l7_policy

MAC address not showing up in LLDP packet

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Related Content

ESRP Strategies: DNS Water Torture Attack

Juice jacking attack and State-funded attacks - April 15th - 21st - This Week in Security

Block traffic

Real Attack Stories: Bank Gets DDoS Attacked

Understanding Man-in-the-Middle (MitM) Attacks and How to Defend Against Them