Hey guys!
We are getting attacked from vps servers which are hosted by OVH, Leaseweb etc.
Therefore I’m currently trying to create a WAF rule called “asn block” which should block specific as-numbers from getting access to our website.
If have created this rule with action: “Block”:
(ip.geoip.asnum eq 14061) or (ip.geoip.asnum eq 24940) or (ip.geoip.asnum eq 16276) or (ip.geoip.asnum eq 132203) or (ip.geoip.asnum eq 45102) or (ip.geoip.asnum eq 63949) or (ip.geoip.asnum eq 51167) or (ip.geoip.asnum eq 23969) or (ip.geoip.asnum eq 17451) or (ip.geoip.asnum eq 45758) or (ip.geoip.asnum eq 21409) or (ip.geoip.asnum eq 26347) or (ip.geoip.asnum eq 30873) or (ip.geoip.asnum eq 40065) or (ip.geoip.asnum eq 48147) or (ip.geoip.asnum eq 4134) or (ip.geoip.asnum eq 60781) or (ip.geoip.asnum eq 200651)
The problem is, that the rule does not work as intended and we are still getting thousands of connections on our website with status code 200 from those as-numbers. I can also see them in the traffic logs. On the other side the security event logs regarding this rule is empty expect 20 hits in the past 24h.
The WAF rule is on the third position on the custom rules tab. But the first and second rules are just white- and blocklisting specific ips. So these rules should not be a problem. There are also other rules below the “asn block” rule which are working.
We are using the pro package.