Forum Discussion

Jaspreetgurm's avatar
Jaspreetgurm
Icon for Altocumulus rankAltocumulus
Sep 10, 2021

OTP Flood Attack mitigation

We have application which is sitting behind our F5 WAF, where application receiving high voulme of OTP request on server to generate OTP SMS by attacker. People receiving unwanted OTP message on their mobile.

 

I have configured an iRule which limiting the request in 3 request in 5 min max and it is working. but attacker using different ISP ip to flood the OTP request.

 

Can someone please assist here, how to mitigate such attack with help of F5 WAF policy.

 

 

 

 

  • Hi ,

     

    sure. Can you explain in 3-4 sentences about the attack. As much as you know... Is it always same IP, rotating IP, always same user-agent string? Also please explain about the process of requesting an OTP.

    Knowing this can help to find the right mitigation strategy for your issue.

    Bonus question - do you have IP Intelligence licensed?

     

    KR

    Daniel

     

    • Jaspreetgurm's avatar
      Jaspreetgurm
      Icon for Altocumulus rankAltocumulus

      HI  

       

      Thanks for quick reply.

       

      IP rotating always, looks like at attacker setup some sort of script which has more than lakh phone numbers requesting for OTP same time.

       

      So can we mitigate such attacks.

       

       

       

       

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP

        Yes, I would setup a Bot Defense profile and I'd also enable Device ID in this profile.

        In this solution article you will find all settings for creating a Bot Defense profile explained.

        K42323285: Overview of the unified Bot Defense profile

        Additionally check out this lab guide from Agility 2021, it will give you some rough idea how to set up Bot Defense with Device ID.

        https://clouddocs.f5.com/training/community/waf/html/waf241/module1-elevated-bot/lab1/lab1.html

  • use the Microservice feature under bot profile.

    https://support.f5.com/csp/article/K42323285#sect3

     

    either use the predefined Treat protection like login Protection,Search Protection etc or

    use Custom Microservice Protection

     

    set a proper threshold under automate threat detection and mitigation action .

     

    other way create custom signature or bot signature which matches the attacker user agent (if it is something fissy)

     

  • Hi,

     

    Could you please help me with irule that you've configured.

     

    Regards,

    sumit

  • Hi Jaspreet

    Please help sharing the irule that you have mentioned in your post which limits the request to 3 request in 5 min max