Bot Protection marks Samsung Internet as malicious

Question

Hello,We have discovered that after Samsungs latest upgrade of the built in "Internet" (Samsung Internet Browser) 17.0.1.69, the bot protection both in transparent and blocking mode adds the cookie who is responsible for marking the device as malicious.&nbsp;When logging, we can see that first visit it is just a regular device. No bot, no malicious activity and so on. Next refresh of the site will immediately make a Connection Reset. Dumping pcap shows that handshake is done and Application data begins then it stops.&nbsp;With that said. If you remove this cookie, everything works fine again. It is a TS****** with a expire date seven weekdays of the first visit. Then you need to clear cache and cookies on the device to get it to happen again.&nbsp;We are still looking for a solution, adding the browsers user agent will not fix the issue for us.&nbsp;Hope that this will help anybody in our seat looking for a solution. I will keep you updated if we find anything that will solve the issue,Fredrik

nikoolayy1 · Answer

Yes better see with F5 TAC but it is strange if you are still blocked in everything in transperant mode as it seems as another bug except if for some reason it is the DDOS profile blocking you by device id or the Bot protection has created a dynamic ddos signature or "DoS Attack Mitigation Mode" on the Bot profile to activate DDOS profile:
&nbsp;
https://community.f5.com/t5/technical-forum/device-id-bot-dos-profile/td-p/265837?nocache=https:%2F%2Fdevcentral.f5.com%2Fs%2Fquestion%2F0D51T00008XHWzESAX%2Fdevice-id-botdos-profile
&nbsp;
https://clouddocs.f5.com/training/community/ddos/html/class7/bados/module4.htmlhttps://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-system-dos-protection-and-protocol-firewall-implementations-14-0-0/07.html
&nbsp;
https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/configuring-bot-defense.html
&nbsp;

fredrik_daniels · Answer

Looks like this&nbsp;Solved: Device ID - Bot/Dos Profile - DevCentral (f5.com)&nbsp;Device ID Mode : Generate After Access solves the issue. 🙂&nbsp;After that change, i can also see the logs. Bot protection thinks this:We are having a case with TAC. See if we can solve this.Thanks for all help!Best regards,&nbsp;Fredrik&nbsp;

nikoolayy1 · Answer

Why don't you add the bot as an exception "Mitigation Settings Exceptions" or Whitelist the source IP for the Bot protection:
&nbsp;
https://support.f5.com/csp/article/K42323285
&nbsp;

fredrik_daniels · Answer

Hi!We have done this both with contains SamsungBrowser/17.0 and added it as exception. We can't whitelist on IP unfortunately. I will however look into the article again if i have missed something.Best regards,&nbsp;

nikoolayy1 · Answer

Your Bot Protection is the F5 Advanced WAF (ASM) Bot protection right? You do not use Shape security with F5 Big-IP?
&nbsp;
Also from some bugs in the bug tracker you may try stopping the browser verification or Change browser_legit_min_score_drop sys db to be higher value.
&nbsp;
https://cdn.f5.com/product/bugtracker/ID693782.html
&nbsp;
https://cdn.f5.com/product/bugtracker/ID745531.html
&nbsp;
https://cdn.f5.com/product/bugtracker/ID742852.html
&nbsp;
As I see many issues with different browsers better open F5 case so they can add this to the Bug tracker for Samsung.

Forum Discussion

Bot Protection marks Samsung Internet as malicious

Recent Discussions

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

Related Content

Protect an application exposed on Internet with F5 XC WAAP

Windows Critical RCE Vulnerability, Malicious Solana-py, and EDRKillShifter

L7 DoS Protection with NGINX App Protect DoS

Automation of Malicious User detection/mitigation using F5 Distributed Cloud Platform

Bot Management Strategy - Defense against malicious bots with F5 Distributed Cloud Bot Defense

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS