For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dan_103700's avatar
Dan_103700
Icon for Nimbostratus rankNimbostratus
Jul 05, 2013

Attack Signature for Wordpress Spam

The company I work for is being hammered by various distributed botnets that are sending us web traffic containing form posts intended for Wordpress. Basically, the bot nets are trying to post Wordpress comments anywhere they can.

 

The solution I'd like to try is to load a custom attack signature that filters all traffic containing a form field named "comment". Since this isn't a valid form field on our end, I'm comfortable trying this approach.

 

Can anyone help me with what I'd want to enter as the attack signature definition to make this work? Or am I missing something and an attack signature isn't the right way to implement this?

 

Many thanks,

 

Dan

 

P.S. -- We're running version 10.2.4

 

app sec
BIG-IP Access Policy Manager (APM)
security

1 Reply

  • Torti's avatar
    Torti
    Icon for Cirrus rankCirrus
    Jul 10, 2013
    Hi,

     

     

    I think, there are different ways to block such bot requests.

     

    1. you can use the web scraping feature to detect bots - https://devcentral.f5.com/tech-tips/articles/more-web-scraping-bot-detection

     

    2. you can use an irule to check the query for the parameter "comment". If it is inside --> redirect or response. But you have to be shure, there is no application using this parameter

     

    3. define a parameter "comment" in the parameter list with a static value like "1" or anything else.

     

     

    I dont know anything about writing attack signatures.

     

     

     

    regards