Password spray attacks through BIGIP

Question

Hello community,&nbsp;Need some help here.Our MSSP observed and notified us of successful password spray behavior from one of the self-IPs on our BIG IP resulting in the lockout of a significant number of accounts. Where's the best place to start gathering information about this incident on the BIG IP?JRahm&nbsp;Regards,&nbsp;

lucas_thompson · Answer

Some good initial actions probably are:

Determine the protocol used for the auth attempts sourced from your IP. Was it HTTP? Kerberos? RADIUS?
The most likely source for the traffic is someone accessing the internet through your BIG-IP. Does your config offer NATting for outbound arbitrary connections? If so, what is your acceptable use policies and auditing/logging policies for this service?&nbsp;
If your config does NOT offer NATing over the network, it is possible that you have an unauthorized user. The self-ips can be used to source connections from the control plane, depending on how the BIG-IP's routing is set up. Review this solution article:https://my.f5.com/manage/s/article/K11438344

&nbsp;

Forum Discussion

Password spray attacks through BIGIP

1 Reply

Recent Discussions

How to add a new DNS(gtm) to the existing network?

Failed to add new DNS machine to the existing DNS sync-group

Email Notification Sent For The Configuration Change

F5 Malicious Source IP Address Alert

F5 APM Variable Assign agent

Related Content

iRule for Brute Force Password Guessing Attacks

The HTTP/2 CONTINUATION frame attack

Password Safety & Security: Passwords vs. Passphrases

Automate scp transfers using password

ESRP Strategies: DNS Water Torture Attack