Forum Discussion
Olayinka-F5LB
Jul 23, 2024Altocumulus
Password spray attacks through BIGIP
Hello community,
Need some help here.
Our MSSP observed and notified us of successful password spray behavior from one of the self-IPs on our BIG IP resulting in the lockout of a significant number of accounts. Where's the best place to start gathering information about this incident on the BIG IP?
Regards,
- Lucas_ThompsonEmployee
Some good initial actions probably are:
- Determine the protocol used for the auth attempts sourced from your IP. Was it HTTP? Kerberos? RADIUS?
- The most likely source for the traffic is someone accessing the internet through your BIG-IP. Does your config offer NATting for outbound arbitrary connections? If so, what is your acceptable use policies and auditing/logging policies for this service?
- If your config does NOT offer NATing over the network, it is possible that you have an unauthorized user. The self-ips can be used to source connections from the control plane, depending on how the BIG-IP's routing is set up. Review this solution article:
https://my.f5.com/manage/s/article/K11438344
Olayinka-F5LB - Please select Mark As Solution if this is resolved. That helps others locate the good stuff faster.
Thanks!
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects