OTP Flood Attack mitigation

Question

We have application which is sitting behind our F5 WAF, where application receiving high voulme of OTP request on server to generate OTP SMS by attacker. People receiving unwanted OTP message on their mobile.

I have configured an iRule which limiting the request in 3 request in 5 min max and it is working. but attacker using different ISP ip to flood the OTP request.

Can someone please assist here, how to mitigate such attack with help of F5 WAF policy.

daniel_wolf · Answer

Hi ,&nbsp;sure. Can you explain in 3-4 sentences about the attack. As much as you know... Is it always same IP, rotating IP, always same user-agent string? Also please explain about the process of requesting an OTP.Knowing this can help to find the right mitigation strategy for your issue.Bonus question - do you have IP Intelligence licensed?&nbsp;KRDaniel&nbsp;

jaspreetgurm · Answer

HI &nbsp;&nbsp;Thanks for quick reply.&nbsp;IP rotating always, looks like at attacker setup some sort of script which has more than lakh phone numbers  requesting for OTP same time. &nbsp;So can we mitigate such attacks.&nbsp;&nbsp;&nbsp;&nbsp;

daniel_wolf · Answer

Yes, I would setup a Bot Defense profile and I'd also enable Device ID in this profile.

In this solution article you will find all settings for creating a Bot Defense profile explained.

K42323285: Overview of the unified Bot Defense profile

Additionally check out this lab guide from Agility 2021, it will give you some rough idea how to set up Bot Defense with Device ID.

https://clouddocs.f5.com/training/community/waf/html/waf241/module1-elevated-bot/lab1/lab1.html

daniel_wolf · Answer

Hey ,&nbsp;could you mitigate the attack with a bot defense profile? In case you cannot share further details of the attack, you can DM me and I can try to help you.&nbsp;KRDaniel&nbsp;

jaspreetgurm · Answer

Hi Daniel,&nbsp;bot profiles is already configured with device ID enabled and enforcement mode is set to transparent in system.&nbsp;As i have verified other settings there is no brute force attack/DOS protection enabled for virtual server. The Application security policy configured with minimal protection as only few parameters are set to block or alarm.  Could you please suggest which parameters should be blocked ? &nbsp;Also could you please let me know how to collect such flood type request in application event logs to prepare report on it.&nbsp;thanks&nbsp;

Forum Discussion

OTP Flood Attack mitigation

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

HTTP Post Flood mitigation with LTM

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Mitigating OWASP Web Application Risk: SSRF Attack using F5 XC Platform

Mitigating OWASP Web Application Risk: Broken Access attacks using F5 Distributed Cloud Platform

The HTTP/2 CONTINUATION frame attack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS