Brute force attackprevention ASM

Question

Hi,&nbsp;
Could somebody help me out with the following questions please?&nbsp;
-How can we configure a progressive delay? The idea is to delay the user for: 5 sec -&gt; 25 sec -&gt; 1 min -&gt; 5 min -&gt; 1 hour
-Is it possible to configure a minimum delay between any login attempt (even correct ones) on F5 to for instance 1 sec?&nbsp;
-What error message or response (http status code, …) are given by the F5 when blocking login attempts?&nbsp;
Thanks in advance.&nbsp;

samstep · Answer

ASM Brute-force protection does not delay attackers who exceed the configured thresholds of failed login attempts, it blocks them (if in Blocking mode of course), so there is no "Progressive delay" however there is a "blocking duration", e.g. if an attacker exceeded 20 failed login attempts per second you block them for 10 minutes. If they come back after 10 minutes and carry on the attack you block them for further 10 minutes.&nbsp;
If you want some sort of "progressive delay" using time delay as per your description it can be done by developing a custom iRule, but in this case I struggle to understand why you need it as ASM has a built-in mechanism for dealing with such cases using statistical analysis of failed login attempts. I believe these will achieve the same or a similar goal you are after.&nbsp;
Here are the Brute Force Detection settings:&nbsp;
Minimum Failed Login Attempts: X/second&nbsp;
Indicates an attack if, for all IP addresses tracked, the number of failed login attempts is equal to, or greater than, this number. This setting prevents false positive attack detection. The default value is 20 login attempts per second.&nbsp;
Failed Logins Attempts increased by X%&nbsp;
Indicates an attack if, for all IP addresses tracked, the ratio between the detection interval and the history interval is greater than this number. The default value is 500 %.&nbsp;
Failed Login Attempts Rate reached X/second&nbsp;
The system considers unsuccessful login attempts to be an attack if, for all IP addresses tracked, the login attempt rate reaches this number. The default value is 100 login attempts per second.&nbsp;
Re: Blocking error message/HTTP response - can be anything you want to configure, it is absolutely flexible&nbsp;

Forum Discussion

Brute force attackprevention ASM

Recent Discussions

Http / https health monitor issue

F5-SDK Get GTM Pool Server, Virtual Server, Unused Objects, and JSON Conversion for Data Processing

F5 DNS Generic Host

How do I create a traffic log for two different route domains?

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Brute Force protection for single parameter like OTP

HTTP Brute Force Mitigation Playbook: Bot Profile for Brute Force Mitigations - Chapter 5

HTTP Brute Force Mitigation Playbook: BIG-IP LTM Mitigation Options for HTTP Brute Force Attacks - Chapter 3

HTTP Brute Force Mitigation Playbook: Slow Brute Force Protection Using Behavioural DOS - Chapter 6

iRule for Brute Force Password Guessing Attacks

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS