For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

iRule for Brute Force Password Guessing Attacks

Problem this snippet solves:

Here I'm introducing an iRule for use as Brute Force Password Guessing Protection.


If you are running on 12.1.x you could solve this kind of attacks using ASM

https://support.f5.com/csp/article/K54335130


But this release it's also affected for one bug that could lead in some unwanted behavior.


The idea beneath this iRule is to workaround this bug and give a solution for those users that still run an ASM module on 12.1.x.


How to use this snippet:

This iRule requires a Data-Group to reference all the login pages in your infrastructure.


ltm data-group internal LOGIN_URI_DG {
    records {
        /app1/login { }
        /app2/login { }
    }
    type string
}


In the STREAM expression you should identify how a login failure attempt is represented in your HTTP response. In my case, all login failures are represented by one JSON structure with the word "ACCESS_FAIL" in some of their fields.


STREAM::expression {=ACCESS_FAIL=}


You should also customize these global variables.


set static::maxtry 5     ; # Maximum failed login attempts
set static::time 900     ; # Time window for failed login attempts evaluation [seconds]
set static::bantime 3600 ; # How long the user is banned [seconds]


Code :

when RULE_INIT {
    # Variable Definition
	set static::maxtry 5          ; # Maximum failed login attempts
	set static::time 900         ; # Time window for failed login attempts evaluation [seconds]
	set static::bantime 3600 ; # How long the user is banned [seconds]
}

when CLIENT_ACCEPTED priority 100 {
    # Get client IP
	set source_ip [IP::remote_addr]
	# Reject user if exists in blacklist 
	if { [table lookup -subtable "blacklist" $source_ip] != "" } {
		reject
	}
}

when HTTP_REQUEST priority 100 {
    event HTTP_RESPONSE enable
	event STREAM_MATCHED enable
	STREAM::disable
	set login_access 0
	# Enable login access flag
	if { [class match [string tolower [HTTP::uri] ] contains LOGIN_URI_DG ] } {
		set login_access 1
	}
}

when HTTP_RESPONSE priority 100 {
    if { $login_access } {
        # Configure stream expression when response is JSON
    	if {[HTTP::header value Content-Type] starts_with "application/json"} {
    		STREAM::expression {=ACCESS_FAIL=}
    		STREAM::enable
    	}
		event HTTP_RESPONSE disable
    }
}

when STREAM_MATCHED priority 100 {
    if { $login_access } {
        # Increase variable of login attempts
    	set key "attempts:$source_ip"
    	table add $key 0 indefinite $static::time
    	set count [table incr $key]
        # If maximum login attempts value is exceeded, then include user in blacklist
    	if { $count >= $static::maxtry } {
    		table add -subtable "blacklist" $source_ip "blocked" indefinite $static::bantime
    		table delete $key
    		log local1. "User Rejected: $source_ip"
    	}
		event STREAM_MATCHED disable
    }
}

Tested this on version:

12.1
Published Feb 07, 2020
Version 1.0
application delivery
ASM Advanced WAF
iRules

1 Comment