Can I blacklist a specific IP address? Someone appears to be scraping our web site and our backend systems can't handle the load. Is there a simple way of doing this with the F5 unit?
Hi!
This is a common one, and as usual there's many ways to do things. Here's a few of them:
1. Using iRules with data group lists
If you want to do it with iRules I recommend using data group lists. If you only have a few it does not make sense from a performance perspective if you're chasing CPU cycles, but from a management angle it's must more pain free.
when HTTP_REQUEST {
if { [class match [IP::remote_addr] equals blacklist] } {
drop
}
}
In this case you’d have to create a data group list called blacklist of the type address. In this you can add individual IP’s, or networks in CIDR format (ie. 10.0.0.0/24).
Apply the iRule to the virtual server where you want the black list to be active on.
2. Using Packet Filters
This method works well if you want to block on a device level rather than a virtual server level. Navigate to Network -> Packet Filters. Make sure that the filtering is enabled in the General tab and head on over to Rules and create your rule according to what you want.
I personally do not like this method as it would throw most admins off when troubleshooting, simply because it’s not commonly used.
3. Policies
Depending on the version you use there might also be an option in the policies to Reset all traffic. It’s not techically dropping it, but would reset it which means that the requests never reaches the web servers.
The policies are available under Local Traffic -> Policies. Create one according to what you need and apply it to your virtual server.