Forum Discussion
F5 ASM: How to prevent site from being used to validate stolen credit card numbers
- Sep 10, 2020
Yes, you can leverage session tracking and Data Guard to mitigate this. Your goal is to configure session tracking to allow clients a fixed amount of incorrect "guesses" per minute. This gives legit clients a chance to correct their mistake--before a sixth wrong guess gets blocked for a duration of your choosing. First go to the learning and blocking settings page, and ensure the violation Data Guard: Information leakage detected is set to block (optionally you can do learn and alarm also.) Then configure the Sessions and Logins violation Access from disallowed User/Session/IP to block. Second, go to your Data Guard settings, enable Data Guard, and then configure a Custom Pattern which matches the failed criteria your application is sending in the response payload--probably a string that says "invalid number" or "try again" or something like that. Third, add the URL you wish to protect (this is the one that is getting repeated hits.) Fourth, go to Session Tracking Configuration, and enable Session Awareness. Fifth, enable the option to Track Violations and Perform Actions, and then define the Violation Detection Period for 60 seconds. Sixth, enable IP Address Threshold for 5 violations and Delay Blocking Period for 3600 seconds. Directly below the Delay Blocking Period settings, you can the list of Associated Violations. Move the Data Guard: Information leakage detected violation from Available to Selected. This allows legit clients to make 5 login mistakes in 60 seconds, and the sixth mistake results in that client getting blocked for an hour. That should make the bad actor move on to some other target. If you like, you can specify that if a client generates 10 Data Guard violations in 60 seconds, then the Block All Period is Infinite--basically that client/session is shut down forever.
Yes, you can leverage session tracking and Data Guard to mitigate this. Your goal is to configure session tracking to allow clients a fixed amount of incorrect "guesses" per minute. This gives legit clients a chance to correct their mistake--before a sixth wrong guess gets blocked for a duration of your choosing. First go to the learning and blocking settings page, and ensure the violation Data Guard: Information leakage detected is set to block (optionally you can do learn and alarm also.) Then configure the Sessions and Logins violation Access from disallowed User/Session/IP to block. Second, go to your Data Guard settings, enable Data Guard, and then configure a Custom Pattern which matches the failed criteria your application is sending in the response payload--probably a string that says "invalid number" or "try again" or something like that. Third, add the URL you wish to protect (this is the one that is getting repeated hits.) Fourth, go to Session Tracking Configuration, and enable Session Awareness. Fifth, enable the option to Track Violations and Perform Actions, and then define the Violation Detection Period for 60 seconds. Sixth, enable IP Address Threshold for 5 violations and Delay Blocking Period for 3600 seconds. Directly below the Delay Blocking Period settings, you can the list of Associated Violations. Move the Data Guard: Information leakage detected violation from Available to Selected. This allows legit clients to make 5 login mistakes in 60 seconds, and the sixth mistake results in that client getting blocked for an hour. That should make the bad actor move on to some other target. If you like, you can specify that if a client generates 10 Data Guard violations in 60 seconds, then the Block All Period is Infinite--basically that client/session is shut down forever.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com