F5 Remediation ModuleSuwitcha Musijaral

2

F5 API interface

● iControl▸ API (perl support), more flexible, more work

● Command line▸ ssh and issue cli command (bigpipe command)

● iRule with Session Table▸ Create virtual server to add record to session table▸ Add iRule to protected server▸ Easy to create and suitable for FW type action

3

Control VIP iRule

when HTTP_REQUEST { if { [URI::query [HTTP::uri] "action"] equals "blacklist" } { set blockingIP [URI::query [HTTP::uri] "sip"] set IPtimeout [URI::query [HTTP::uri] "timeout"] table add -subtable "blacklist" $blockingIP 1 $IPtimeout HTTP::respond 200 content "$blockingIP added to blacklist for $IPtimeout seconds" return } HTTP::respond 200 content "You need to include an ?action query"}

4

iRule for protected Server

when CLIENT_ACCEPTED { set srcip [IP::remote_addr] if { [table lookup -subtable "blacklist" $srcip] != "" } { drop log local0. "Block IP on black list" return }}

5

POC Environment

Virtual BIG-IP

VMNET Mgmt192.168.133.0

VMNET2192.168.10.0

VMNET4192.168.111.0

Virtual Sensor

Virtual DC

Target MachineLAMP

Attacker

6

Screen Shot on F5

7

Control Server

8

Protected Server

9

F5 Remediation Module

10

Compliance Event

11

Remediation Status

12

Result – Connection Reset

13

Status on BIG-IP