WAF ASM / Advance WAF
F5 WAF
Brute force mitigation options
Anomaly – identify the criteria that fail too many times and apply prevention policy on it
Anti bot – identify the attack agent as bot and apply prevention policy on it
Source IP – identify the attack agent origin from which the attack is originating and apply prevention policy on it
Signature – identify a pattern of the exploit or the attack agent in the payload and apply prevention policy on it
2. • Get security assistance
when you are under attack !
•
•
•
•
•
• F5SIRT@f5.com
• https://f5.com/support/security-incident-response-team-sirt
F5 Security Incident Response Team (F5 SIRT)
4. •
“ In cryptography, a brute-force attack consists of an attacker
trying many passwords or passphrases with the hope of
eventually guessing correctly. The attacker systematically
checks all possible passwords and passphrases until the
correct one is found.”
I brute forced it
9. Logging profile:
• Log illegal request – can also be log all request but
consider performance before
• Enable application security
• Verify that “login results” is checked - this will help
us to verify that the login fail / success criteria is
working ok. Note that this is not on by default.
• Optional – enable bot defense logging
36. Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
App
User
If reached thresholds for IP based then:
Only X amount of request is allowed from this IP
Example: Any IP that fails more then 2 times / 10 seconds will send
only history amount of request = attack slow down + less false positive
37. Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
User
If reached thresholds for URL based then:
Only history amount of request is allowed to this URL for all IP’s
App
Example: Any IP that access the URL that counted 10 failed login / 10
seconds will be rate limit to the history
38. Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
App
User
Source IP that has 2 failed login /
10 sec will get CSID to see
browser – pass / bot – block
Example: Any IP that failed login 2/10 sec (or 10% increase of
ratio) will get CSID and if will not qualify be blocked
39. Hacktivism
BF Bot
Unidentified User
User
Source IP‘s
Users n Bots
User
ANY IP that failed login threshold reached will get CSID
App
Example: URL failed login reached 10 per 10 second so every IP will get
CSID and will be blocked if not a browser
42. Good coverage
• Main changes:
• Same concept for access
validation – sting to failed login
• Source based can track :
• User name
• Device ID
• IP address
• Distributed mode
• Credentials Stuffing
• Easy to configure with simple
thresholds
47. •
• By source IP – measure RPS increase from the IP
• By Device ID – measure RPS increase of a device ID
• By Geolocation – measure PRS increase from country
• By URL – measure RPS increase on a URL
•
•
•
•
•
Is stress based good in
this case ? No
54. Simple & Impersonating Bots
Bots with cookies / JS capabilities
Bots acting as full browser
Client Capabilities
CAPTCHA Challenge
CSID
Bot Signatures
ASM Signatures
CAPTCHA Challenge
55.
56. Client Side Integrity Defense - Flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
HTTP Response (main page)
HTTP Response (main page)
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page
• This is the flow and
timeline of events.
• Transparent to the user,
done under the hood
• Note that request is held at
the ASM and not arriving
the app until checks are
satisfied
• Not all checks are
described here, some are
internal IP.
Send JS test
57. User Browser DoS Profile App
Request login.php
GET /login.php (no cookie)
CAPTCHA HTML +JS response
Cookie with time stamp
Solve
CAPTCHA
CAPTCHA rendered
Submit CAPTCHA
solution
GET /mypage.php + CAPTCHA
cookie
Verify CAPTCHA solution
Validate cookie
GET /mypage.php
HTML of mypage.php
HTML of mypage.php
mypage.php
rendered
Send
CAPTCHA
• While the system is still in a
state of attack the offending
source will be presented with
another CAPTCHA every 5
min.
• Same as CSID, request is
held at the ASM until
CAPTCHA is solved
58. User Browser DoS Profile App
First request GET /sell.php
GET /sell.php (no cookie)
Client Capabilities Challenge response
Return Client Capabilities
verification
Reconstruct request
HTTP Response (cookie)
HTTP Response
GET /img.png (cookie)
Blank page & Set cookie
Original HTTP Request + cookie
Authenticate and decrypted JS results,
Compute browser score based on result
Determine an action based on score
GET /img.png (cookie)
Validate cookie:
format & time stamp
69. when HTTP_REQUEST {
if { ( [HTTP::uri] eq "/index.aspx" && ![HTTP::header exists "Referer"] && [[HTTP::header “User-Agent”]
contains “Firefox/2.2.2”] ) } {
# log and drop the request as invalid
log local0. “INCIDENT - Blocking request from [IP::remote_addr]"
} else {
#Allow this request as a Referer is present
}
}
This training is provided by the F5 Security Incident Response Team (SIRT)
Please E-mail any security related inquiries to <CLICK> f5sirt@f5.com
I have used my own DSMM – Defensive Security Management Methodology . The book is on the way
To consider it failed login: - it this true – i.e. true condition = failed login
Can drop valid users. valid users are for example IP that fails 4 time per 1 minute – likely or not ? It depends
Does CSID will be send to only those who access the URL or for every URL
Is stress based good in this case ? No
This animation illustrates the sequence of events from the initial user request through successful completion of the CAPTCHA challenge.
It is similar to Client side integrity defense concept.
Another advantage is that by sending CPAPTHA to client that their thresholds increase will have an effect of delaying the user since it will take time until solving the CAPTCHA challenge.
Once the CAPTCHA challenge is solved the client will have a cookie that will be validate each request for format and time stamp.
After 5 minutes ASM will issue a new CAPTCHAto this client ( keep in mind that this client (source IP or other detections) is exceeding the defined thresholds in the IP detection criteria therefore we can send him CAPTCHA’s as he is a suspect for causing dos)
The first request arrives to the proactive bot defense with no cookie.
The proactive bot defense holds the request and sends the Client Capabilities script back to the browser. Note that the request doesn’t arrive at the server at this point.
The java script then scans the browser and returns results to the proactive bot defense .
Proactive Bot Defense then authenticates and decrypts the java script. The browser score is computed based on the two database comparisons, and finally the action that will be taken is determined. If the score is between 0 and 59, then another response is sent to the browser with a set cookie inside a blank page.
Then the request arrives to the proactive bot defense with the cookie and the original request is sent to the web server.
The following requests will be validated for cookie format and timestamp.
The entire flow describe here is transparent to the user and causes only a minor delay from the web server.
For any question or feedback please send an email to lior@f5.com or the f5sirt@f5.com
I’m also at:
https://twitter.com/Rotkovitch
https://www.linkedin.com/in/lior-rotkovitch-b796909/
http://cybersoc.net