For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_Chapman_3's avatar
Jason_Chapman_3
Icon for Nimbostratus rankNimbostratus
Feb 18, 2014

Raise ASM violation based on return JSON element value

I have a strange requirement to be able to shun (block connections from a source IP) for a fixed time period based on the number of times a certain value is returned to a JSON request (a return value against a parameter in the JSON response). I have been trying to do this by triggering an ASM violation for this pattern but its proving tricky.

 

The sample message for example would be:

 

http://rest.mydomain.com/mobileapp/mobile?action=DoSomething&Serial=111111111&typeid==1&RequestType=1111111

 

Response may be (this isn't well formed it just to illustrate the concept);

 

jsonCallbackData({"response":{"resultCode":"1112","resultType":"1111111"}}};

 

Logic I am trying to embed for example is something like should a source IP have a resultCode of 666 returned more that 10 times in 5 minutes raise a security violation (and block for a set period of time).

 

I have tried a variety of ideas, has any tackled a simular problem?

 

Thanks for your help

 

application delivery
ASM Advanced WAF
devops
iRules
LTM
security

2 Replies

  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    May 06, 2014

    I haven't tackled a similar problem, but you could try attacking this one with an iRule. A while back, Jason Rahm created an iRule that does something similar to the idea that you are describing. Granted, Jason's iRule was targeted at defeating an SSL Renegotiation attack, but the logic is very similar. 

    if client attempts renegotiation more than 5 times in one minute, silently drop the connection

    Here's a link to an article that outlines the iRule and logic behind it: https://devcentral.f5.com/articles/ssl-renegotiation-dos-attack-ndash-an-irule-countermeasure.U2lNxCjmqZc

    I'm thinking you could do something similar. 

    if IP address returns resultCode"666" > 10 times in 5 minutes, block the IP for x minutes

    We could help with iRule syntax if you wanted to go this route.

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Sep 27, 2014

    Late on this one, but you could also try :

     

    • creating a new ASM violation + signature matching you use case
    • use ASM build in session tracking/delay blocking

    last one allow to block a user X minutes if he reach Y amount of violations that you can specify.