Forum Discussion
Nimbostratusi wonder Brute Force in ASM
I am wondering about the brute force feature that changed with this version of 13.1.0.1. I have been looking for help, but I am aware of the user name, device ID, and IP address, but I wonder when the rest of the conditions are triggered. I'm also curious about the rest of the features.
Daniel_VarelaEmployee
Be careful with that version, there are a couple of bugs related to Brute force protection. It is highly recommended to upgrade to HF2.
Erik_NovakThere are some significant improvements in v13.1.0.1: First of all, in Configuration utility the feature is now called "Source-based Brute Force Protection" not "Session-based Brute Force Protection." As you noted, ASM monitors user name, Device ID, and IP addresses which can be "sources" of brute force attacks. ASM counts the failed login attempts per Username, Device ID, and IP Address sources, as configured by you. A separate count is kept for each of these sources. When one of the source’s counters is higher than the threshold, the enforcement mitigation is applied. We ease into the mitigation actions--starting with Alarm only, then Alarm and client-side identity check, which forces the client to identify itself, then Alarm and CAPTCHA, and finally escalate to Alarm and Drop. There are some nifty new features, such as a Honey Pot page, which can be configured to keep attackers busy. Does this help?