Forum Discussion
小白
Cirrus
Cirruswhat's Device ID in asm?
我想知道设备ID是什么以及它是由什么组成的?比如时间,源ip,源端口……实体是什么?
Device ID is an ASM / AdvWAF feature. The BIG-IP uses JavaScript to create a device ID from client. The JavaScript tries to obtain various signals from the client to retrieve attributes like the browser type and version, installed updates, installed fonts, and others. The BIG-IP stores the device ID in the TSPD101 cookie.
This information can be used for example with brute force attack prevention or web scraping protection.
More information: https://support.f5.com/csp/article/K19556739
小白Cirrus
CirrusG-Rob Doesn't it have anything to do with source ip and source port?I think browser information can be forged
boneyard
MVP
MVPAs Rob says actual F5 contact is the best source.
But for your worry about forging things. Mostly everything can be forged. It is about being sure enough. There is no 100% in this.
- 小白
I called, but they didn't solve my problem.
小白 what did they tell you?
I'm not sure if maybe Lior_Rotkovitch could answer this?- Lior_Rotkovitch
SIRT
Device ID Is a java script the create a unique identifier for the device itself.
Adv WAF / ASM uses it for few powerful features:
1. Session hijacking – Act as another layer of identification above the session
The DID is regenerated every certain amount of time
https://my.f5.com/manage/s/article/K18611270
Lab https://f5-agility-labs-waf.readthedocs.io/en/latest/class5/module2/lab2/lab2.html
2. DiD for RPS anomaly
https://www.slideshare.net/liorrotkovitch/asm-bot-mitigations-v3-final-lior-rotkovitch
slide 12 illustrate the DID concept
Under DDoS profile TPS based. Device ID thresholds.
It is very useful when you have an offending source behind a NAT’d clients.
It is more accurate than IP since IP can change while the DID is persistency over IP roaming.
Thus counting RPS on DID will assist with identifying the true offending client.
