Using Netscaler to block IP adresses based upon pattern sets and URL responder

Ever wanted a simple way to block pesky IP-adresses which are giving you much unwated traffic on your webservers? Of course there is the possibility to use ACLs but the become cumbersone if we need to add every IP adress to an ACL (They also get unmanageable)

Another option we have is to use pattern sets. Pattern sets are basically an index with different strings which we can then use against an expression to evaluate if they fall within the category or not.

First we need to create the pattern set, under AppExpert –> Pattern Sets (Which is set to include all of those IP-adresses that we don’t want to access our websites.

image

Next we need an expression which has the ability to extract out the strings and evaluate them against a rule. Go into AppExpert –> Expressions –> Advanced Expressions –>

Create a new expression called CIP, where the expression looks like this

image

This will allow us when creating a responder policy to add a string in the expression. Next go into URL responder and create a new policy

image

Now the magic lies within the expression, since we created a custom saved expression we can use that, which basically just says CLIENT_IP_SRC_EQUALS_ANY”(STRING IN THE PATTERN SET nonoIPS) then RESET Connection.

Then we have to bind the policy to either a vServer or globally, and voila. Now we just have to update the pattern set next time we want to block an IP-address. But do not mistake this for an ACL it only block HTTP access.

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *