HTTP Brute Force Mitigation Playbook: Overview - Chapter 1


When we talk about Brute Force attacks, we usually tend to think about a malicious actor using a script or botnet to inject credentials into a login form in order to try to brute force their way past an authentication mechanism, but that is far from the only kind of brute force attack we see in the wild today, with attacks against API endpoints becoming increasingly common as traditional web development gives way to an API-centric, cloud-driven microservices model alongside moves to federated authentication for services like Office 365. While many of these moves are great for scalability and accessibility, they also open up an increasingly large attack surface that malicious actors are beginning to take advantage of.

In this document, we aim to show you some of the BIG-IP tools and techniques available to mitigate brute force attacks against your organisation, as well as sample configurations you can use as a basis for part of your security configuration.


In this series of articles we will show you the BIG-IP tools and techniques you can leverage to understand, classify and mitigate brute force attacks using:

  • BIG-IP AVR Analytics
  • BIG-IP LTM, iRules and Local Traffic Policies
  • BIG-IP ASM with
  • ASM Brute Force protections
  • Bot Defence Fingerprinting (TLS Fingerprinting & HTTP Fingerprinting)
  • L7DoS protections

We will cover the following kinds of Brute Force attack:

  • Attacks against traditional HTML form-based authentication pages
  • "Low and slow" attacks against form-based authentication or other form-based submissions
  • API attacks against authenticated and non-authenticated API endpoints
  • Outlook Web Access/Outlook 365 authentication brute force attacks

All configuration examples and suggested mitigation methods will be based on features available in BIG-IP 14.1 and later, and at the end of this document you will find an Appendix with example configurations summarised and presented for easy deployment.


  • Bad Actor Behaviours and Gathering Statistics using BIG-IP LTM Policies, iRules and BIG-IP AVR | Chapter 2
  • BIG-IP LTM Mitigation Options for HTTP Brute Force Attacks | Chapter 3
  • Protecting HTML Form Based Authorization using ASM | Chapter 4
  • Using the Bot Profile for Brute Force Mitigation | Chapter 5
  • Slow Brute Force Protection Using Behavioural DOS | Chapter 6
  • Appendix
Updated Apr 17, 2022
Version 2.0

Was this article helpful?

No CommentsBe the first to comment