Forum Discussion

Altocumulus

Sep 10, 2021

OTP Flood Attack mitigation

We have application which is sitting behind our F5 WAF, where application receiving high voulme of OTP request on server to generate OTP SMS by attacker. People receiving unwanted OTP message on thei...

ASM Advanced WAF

BIG-IP Access Policy Manager (APM)

security

Daniel_Wolf

MVP

Sep 10, 2021

Hi ,

sure. Can you explain in 3-4 sentences about the attack. As much as you know... Is it always same IP, rotating IP, always same user-agent string? Also please explain about the process of requesting an OTP.

Knowing this can help to find the right mitigation strategy for your issue.

Bonus question - do you have IP Intelligence licensed?

Daniel

Jaspreetgurm
Altocumulus
Sep 10, 2021
HI

Thanks for quick reply.

IP rotating always, looks like at attacker setup some sort of script which has more than lakh phone numbers requesting for OTP same time.

So can we mitigate such attacks.
- Daniel_Wolf
  MVP
  Sep 10, 2021
  Yes, I would setup a Bot Defense profile and I'd also enable Device ID in this profile.
  In this solution article you will find all settings for creating a Bot Defense profile explained.
  K42323285: Overview of the unified Bot Defense profile
  Additionally check out this lab guide from Agility 2021, it will give you some rough idea how to set up Bot Defense with Device ID.
  https://clouddocs.f5.com/training/community/waf/html/waf241/module1-elevated-bot/lab1/lab1.html
- Daniel_Wolf
  MVP
  Sep 12, 2021
  Hey ,
  
  could you mitigate the attack with a bot defense profile? In case you cannot share further details of the attack, you can DM me and I can try to help you.
  
  KR
  Daniel
- Jaspreetgurm
  Altocumulus
  Sep 13, 2021
  Hi Daniel,
  
  bot profiles is already configured with device ID enabled and enforcement mode is set to transparent in system.
  
  As i have verified other settings there is no brute force attack/DOS protection enabled for virtual server. The Application security policy configured with minimal protection as only few parameters are set to block or alarm. Could you please suggest which parameters should be blocked ?
  
  Also could you please let me know how to collect such flood type request in application event logs to prepare report on it.
  
  thanks

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OTP Flood Attack mitigation

Recent Discussions

F5 - AS3 - BIGIQ / BIGIP SchemaVersion Missunderstanding

F5OS API - not able to create vlan

F5 APM - limiting access to the bandwidth for network Access

Change LB priority based on status

High CPU utilization (100%).

Related Content

HTTP Post Flood mitigation with LTM

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Mitigating OWASP Web Application Risk: SSRF Attack using F5 XC Platform

Mitigating OWASP Web Application Risk: Broken Access attacks using F5 Distributed Cloud Platform

The HTTP/2 CONTINUATION frame attack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS