HI, Lately, i saw a lot of traffic drop by the F5 ASM Firewall. As, i am very new to F5 may i know what the reason the F5 detected as - Non-browser Client - Does it means that mobile user running on Android, with Dolphin web client will get block by F5 when they access to our website? Also, it is a real attack? How can I ignore it ? I try to install a Dolphin client on my android device but I don't encounter any problem accessing the website? May i know how the F5 ASM trigger this is an attack. Thanks GET /apple-touch-icon.png HTTP/1.1 Accept-Encoding: gzip Connection: Keep-Alive Host: www.xyz.com User-Agent: Dolphin http client/10.0.3(238) (Android) X-Forwarded-For: xxx.xxx.xxx.xx Accept-Encoding:0x20gzip0xd0xaConnection:0x20Keep-ALine break live0xd0xaHost:0x20www.xzz.com0xd0xaUser-Line break Agent:0x20Dolphin0x20http0x20client/10.0.3(238)0x20(Line break Android)

Does that second line of output actually have all the 0x20 etc. HTTP codes or is that just how DC has mangled it? What makes you think it's the Dolphin clients that are identified as Non-browser clients? I don't see any evidence for that in your post.

it is possible that it only affects certain versions of the dolphin browser, that perhaps send their User-Agent string wrong so the ASM doesn't recognize it. if you test it yourself, do you find blocks in the ASM event report? if possible you can set logging on all request and then compare your request with dolphin browser from the one that is blocked. this is signature based, so perhaps there is a signature update which solves this.

Hi, Yes its actually have 0X20..I copy and paste the output here.sorry may i know What do you mean by DC? I have no idea, why the F5 detected it as - Violation - Attack signature detected - Automated client access (http client) Detected Keywords Accept-Encoding:0x20gzip0xd0xaConnection:0x20Keep-ALine break live0xd0xaHost:0x20www.xyz.com0xd0xaUser-Line break Agent:0x20Dolphin0x20http0x20client/10.0.3(238)0x20(Line break Android)0xd0xaX-Forwarded-For:0xxx.xx.xx.6Line break 80xd0xa0xd0xa

DC is this site, DevCentral. Ah OK, understood. I'm not that familiar with ASM but can you not manually add this user agent? Can you observe the user agent sent when you use your phone, when it works?

you can't add it manually, this is a build in signature, that why i suggest the update, might be something that is captured now. it is detected for some reason, the exact one is difficult as we cant really look into build in signatures, so if it is an issue you disable to signature. if you want to get to the bottom contact TAC.

[/apple-touch-icon.png]

What_Lies_Bene1
Cirrostratus
Sep 11, 2013
Does that second line of output actually have all the 0x20 etc. HTTP codes or is that just how DC has mangled it?

What makes you think it's the Dolphin clients that are identified as Non-browser clients? I don't see any evidence for that in your post.
boneyard
MVP
Sep 11, 2013
it is possible that it only affects certain versions of the dolphin browser, that perhaps send their User-Agent string wrong so the ASM doesn't recognize it.

if you test it yourself, do you find blocks in the ASM event report? if possible you can set logging on all request and then compare your request with dolphin browser from the one that is blocked.

this is signature based, so perhaps there is a signature update which solves this.
brandon_liew_ch
Nimbostratus
Sep 11, 2013
Hi, Yes its actually have 0X20..I copy and paste the output here.sorry may i know What do you mean by DC? I have no idea, why the F5 detected it as - Violation - Attack signature detected - Automated client access (http client)

Detected Keywords
Accept-Encoding:0x20gzip0xd0xaConnection:0x20Keep-ALine break live0xd0xaHost:0x20www.xyz.com0xd0xaUser-Line break Agent:0x20Dolphin0x20http0x20client/10.0.3(238)0x20(Line break Android)0xd0xaX-Forwarded-For:0xxx.xx.xx.6Line break 80xd0xa0xd0xa
- What_Lies_Bene1
  Cirrostratus
  Sep 11, 2013
  DC is this site, DevCentral. Ah OK, understood. I'm not that familiar with ASM but can you not manually add this user agent? Can you observe the user agent sent when you use your phone, when it works?
- boneyard
  MVP
  Sep 11, 2013
  you can't add it manually, this is a build in signature, that why i suggest the update, might be something that is captured now. it is detected for some reason, the exact one is difficult as we cant really look into build in signatures, so if it is an issue you disable to signature. if you want to get to the bottom contact TAC.
- Torti
  Altostratus
  Sep 17, 2013
  Do you now understand, why the ASM see this request as an attack? It is no "bug", its a feature :-) You did say "Automated client access (http client)". So, you did explain your problem. There is an "http client" entry at the User-Agent-Header. If you want to allow Dolphin browser to access your content, you have to deactivate the signature. This browser seems to be to only one containing the string "http client" as part of the User-Agent.
brandon_liew_ch
Nimbostratus
Sep 11, 2013
Noted. Thanks for the reply. I just want to know why and how it trigger the attack signature. I have try to use the similar version of Dolphin browser to access to the website but I can't create similar outcome.
boneyard
MVP
Sep 12, 2013
if you want to know for sure the best would be to open a ticket with F5 support, they can actually look at the signatures and determine the exact cause.

as i said before the likely cause is that some dolphin browsers send a User-Agent header which doesn't match the list F5 uses. or some othe tool uses the doplhin User-Agent header wrongly.

the version you are using probably has a known User-Agent header and therefore isnt blocked.

to see if this is true is you can either capture traffic when you are browsing throught the ASM or turn on logging all requests (instead of only illegal ones) on the ASM and lookup your request. the different in your User-Agent header and the blocked on might provide a clue. but it still will be an assumption then, for an absolute answer log a ticket with F5 support (and please relay the answer here).
brandon_liew_ch
Nimbostratus
Sep 13, 2013
thanks for the clear input. I think i will open a ticket to F5 and see what their feedback on this matter. Everyday i will see thousand of block traffic from the same attack.
Mike_61719
Cirrus
Sep 13, 2013
This is because the device is looking for a startup screen. It's basically a favicon for apple IOS devices. I would recommend putting a logo or picture within your webapp.

Go here for more info: https://developer.apple.com/library/ios/documentation/AppleApplications/Reference/SafariWebContent/ConfiguringWebApplications/ConfiguringWebApplications.html
brandon_liew_ch
Nimbostratus
Sep 18, 2013
thanks for the tips.