Forum Discussion

Dianna_129659's avatar
Dianna_129659
Icon for Nimbostratus rankNimbostratus
Sep 23, 2013

Can I block an IP address?

Can I blacklist a specific IP address? Our web scraping is set pretty loose because many of our customers do transactions that appear to be scraping. We are being hit hard by some crawlers, and I would like to simply block the IP address. Thank you.

 

  • The easiest is probably a packet filter rule, but you could do the same with an iRule:

    when CLIENT_ACCEPTED {
        if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } {
            reject
        }
    }
    

    The beauty of a packet filter rule is that it blocks the traffic before the completion of the TCP 3-way handshake. The iRule would reject the traffic after the handshake.

  • Hi Kevin. Thank you! I have not worked with packet filter rules, nor with iRules. Can you guide me to where I can create either of these, please? I would prefer the packet filter, but I will do either of them. I appreciate your help very much!

     

  • As you've never worked with packet filters, I'd strongly recommend reading the following first:

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-3-0/24.htmlconceptid

    http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-concepts-11-3-0/tmos_packet_filters.html1189342

    As for the iRule, simply copy the above to a new iRule in the iRules section of the management GUI, and change the xx.xx.xx.xx/xx do a specific IP address (ex. 123.45.678.90) or a specific subnet (ex. 123.45.67.0/24), then add that iRule to the virtual server configuration. You could even throw in some logging to see what IP address is getting blocked (and when).

    when CLIENT_ACCEPTED {
        if { [IP::addr [IP::client_addr] equals xx.xx.xx.xx/xx] } {
            log local0. "Blocking [IP::client_addr]"
            reject
        }
    }
    
  • Yes, I think iRules is best for me for right now. However, I do not have full access to the F5 server, and I can't find the place where I create an iRule. Can you tell where this is located? Thank you very much.

     

  • Hi Josh. I think that I do not have permissions to this section. When I look under Local Traffic, I have only Profiles >> Services >> Protocal. Are there more sections under Local Traffic that I need to get access to? Thank you!

     

  • No, I see none of that. I see only Profiles, and under Profiles is Services and Protocal. I have very limited access it seems.

     

  • Especially if you are dealing with a large number of source IPs to block it might make sense to use a generic iRule associated with a so called data group.

    It´s ease to add or remove addresses from the data group without touching the iRule anymore.
    if { [class match [IP::remote_addr] equals ip_blacklist] } { 
        reject
        event disable all
        return
    }
    

    The data group will be of type IP address and may contain hosts and networks.

    This should be easier to handle