Imperva Cyber Community

 View Only
  • 1.  More than 150 blocked Ips/Users for Server Group

    Posted 06-06-2022 01:41
    Dear all,

    Do you have any tips/advice for how to handle this alarm "More than 150 blocked Ips/Users for Server Group"?

    I tried to manually release some blocked IP addresses, but then I see this alarm again. Is there any thing I need to fine tune?

    Thank you.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------


  • 2.  RE: More than 150 blocked Ips/Users for Server Group

    Posted 06-06-2022 02:27
    Hi Ken,
    Thanks for posting.

    I wonder if this blog might help with your query?

    https://community.imperva.com/blogs/jaired-anderson/2022/02/15/imperva-waf-gateway-tuning-web-profiles?CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af

    Let me know.

    Thanks,
    Sarah

    ------------------------------
    Sarah Lamont(csp)
    Digital Community Manager
    ------------------------------



  • 3.  RE: More than 150 blocked Ips/Users for Server Group

    Posted 06-06-2022 16:41
    Hi Ken,

    By default, security policies will block the request. This means that someone intentionally configured a security policy to block the IP for a predetermined amount of time.

    This alarm could mean could me a couple different things:

    • You site is under attack from a distributed attacker (many IPs)
    • The policy is too aggressive 

    Typically, policies that are configured to block IPs are created for a very specific use case - and typically, an IP is blocked for 3 minutes (short block) or long block (1 hour). However, these short/long conditions are user configurable.

    The duration for IP Blocking can be reviewed under: Main > Policies > Action Sets

    In most circumstances, it would be considered unusual to hit 150 IPs, unless:

    • The site receives a LOT of traffic
    • The long threshold has been increased 
    • The site is under a distributed attack

    So, what does all this mean? Well, there are a few variables at play - in some cases this message can be safely ignored, or in some cases you might want to adjust your policy, or in some cases you may want to adjust your IP blocking threshold, or in some cases you may want to apply additional security policies.


  • 4.  RE: More than 150 blocked Ips/Users for Server Group

    Posted 06-08-2022 01:43
    Hi, Anderson,

    From Main > Policies > Action Sets, I see that we have defined policy to block IP addresses for a few days. So, could this be the primary cause for hitting the 150 IP count?

    On the other hand, checking from the blocked source, I see that there have been more than 200 blocked IP addresses for a single server group. Would there be any adverse impact (e.g. function, performance,) to the gateway?

    Thank you.

    ------------------------------
    Ken Chau
    IT Manager
    Central Hong Kong
    ------------------------------



  • 5.  RE: More than 150 blocked Ips/Users for Server Group
    Best Answer

    Posted 06-09-2022 09:14

    Hi Ken,

    "From Main > Policies > Action Sets, I see that we have defined policy to block IP addresses for a few days. So, could this be the primary cause for hitting the 150 IP count?"

         Correct. Also, keep in mind that this alert is more for informational awareness than it is an "alarm". 


    "On the other hand, checking from the blocked source, I see that there have been more than 200 blocked IP addresses for a single server group. Would there be any adverse impact (e.g. function, performance,) to the gateway?"

         It is highly unlikely there will be an adverse impact. I have personally seen a customer with over 27,000 IPs being blocked. 😲