Forum Discussion
CirrostratusASM and targeted form exploatation
Hi,
I am looking for real life experiences/advice related to protecting against very precise automation based form filling. Main point here is that whole process is not violating any application logic, is not using fake data, is not used to exhaust server resources. This is completely legitimate transaction using real data to fill form. People behind are very skilled in circumventing any new protections. All build in features of ASM/LTM are already deployed - security policies (not of great use as there are not really any serious attacks launched), DoS profiles, Web Scraping (those are catching some attempts to auto fill and post forms), connection limits on virtual etc. We are not talking about some generic bots or scripts used to detect from and fill it with some crap data. All kinds of default challenges like redirect, java script, capthcha are circumvented very fast. I suspect that headless browsers are used for that (like PhantomJS or CasperJS) so mouse movements or keystrokes with randomization can be used here.
Any ideas/advises what kind of additional protection can be used? Especially how to reliably detect automation attempts using mentioned headless browsers?
Piotr
10 Replies
Michael_Koyfma1Cirrus
I highly suggest trying version 12 and using Proactive Bot Detection in the L7 DDoS profile. There are significant improvements in v12 with respect to ability to detect headless browsers such as PhantomJS, etc.
dragonflymrHi, Thanks for info, have you any info what exactly was implemented - or as I guess it's F5 secret? I am still wondering how it can stand up against targeted attack performed by really skilled persons knowing that ASM is used for protection. Piotr- Michael_Koyfma1Piotr, Yes, as you guessed, it is the F5 secret. In general, as you know, for every malicious activity, there is a countermeasure - and F5 continues to improve the countermeasures against various types of bots and automated hacking mechanisms. While nothing is guaranteed, I suggest you try out v12 and see if the new features are effective in combating the activity you're seeing.
- dragonflymrHi, Thanks for info. Maybe you know any good links (not only F5) about identifying and blocking boots based on headless browsers? Piotr
Michael_KoyfmanCirrocumulus
I highly suggest trying version 12 and using Proactive Bot Detection in the L7 DDoS profile. There are significant improvements in v12 with respect to ability to detect headless browsers such as PhantomJS, etc.
- dragonflymrHi, Thanks for info, have you any info what exactly was implemented - or as I guess it's F5 secret? I am still wondering how it can stand up against targeted attack performed by really skilled persons knowing that ASM is used for protection. Piotr
- Michael_KoyfmanPiotr, Yes, as you guessed, it is the F5 secret. In general, as you know, for every malicious activity, there is a countermeasure - and F5 continues to improve the countermeasures against various types of bots and automated hacking mechanisms. While nothing is guaranteed, I suggest you try out v12 and see if the new features are effective in combating the activity you're seeing.
- dragonflymrHi, Thanks for info. Maybe you know any good links (not only F5) about identifying and blocking boots based on headless browsers? Piotr
jstauffacher_11Take a look at Distil Networks -- this is what they do, and they compliment (not replace) ASM
- dragonflymrThanks, looks really interesting. Piotr
