Proactive Bot Defense Using BIG-IP ASM

Bots are everywhere.  Some of them are nice, desirable bots; but many of them are not.  By definition, a bot is a software application that runs automated tasks (scripts) over the Internet.  The desi...
Updated Jun 06, 2023
Version 2.0
ASM Advanced WAF
bot
security
Ivan_38122's avatar
Ivan_38122
Icon for Nimbostratus rankNimbostratus
Jul 20, 2018

Hello everybody,

 

I have an issue here with a mobile app, I set a DOS profile with Proactive Bot Defense activated on a virtual server, within this virtual server we have a webpage and it has several URL´s which matches with different real servers, this correspondence is done by an apache web server (This logic will be do by an irule as soon as we fix this issue), there is an URL: /appexampleservices and this URL contains the application for the mobile app, I mean the app from the Play store, the app is designed to ask for the content to this URL: https://customer.com/appexampleservices Sometimes the app stops to answer, when it happen I go to check in the analytics profile which are the http responses and the URL answers a 307, this commonly happen each monday (I think maybe it happen because while the weekend the number of TPS and traffic decreases considerably). I did something to test when the issue was happening.

 

1.- To isolate the traffic for this specific URL I wrote a little irule to redirect all traffic for this URL to the real servers bypassing the pool of apache web servers:

 

when HTTP_REQUEST { if { [class match [HTTP::uri] starts_with "APPSERVICESURLCLASS"] } { log "Request: [HTTP::uri] from [IP::client_addr]" pool POOL-APPSERVICES } }

 

2.- In a Firefox browser in my desktop computer connected by WIFI to the internet, I asked for the URL: https://customer.com/appexampleservices. Then I checked the statistics of the POOL-APPSERVICES the connection was successful and I saw traffic in the pool.

 

3.- Then I tried to access with the android app with my smartphone connected to the same WIFI (same ip address source as the desktop) the request to the https://customer.com/appexampleservices is do by default in the app. But this time the request was not successful, I reviewed the statistics in the POOL-APPSERVICES and this time my connection by app didn't appear, I didn't see traffic. Although in the logs I saw my connection (By the sentence log "Request: [HTTP::uri] from [IP::client_addr]") but it never reached the pool.

 

Then the customer decided to disable the DOS profile and the ASM policy and it worked pretty good. In fact I used to think before this test that the 307 response came from the real server. Then I add the URL /appexampleservices to the URL Whitelist and I activated again the DOS profile and then it worked fine.. While today when it broken again and send that awful 307 response code to the app. The customer asked me to disable all security features on the BIGIP. My question is, how can I safely bypass PBD exclusively for this URL because all other URL´s works fine. Plus as I said, each monday this issue constantly happen, maybe because the traffic increase more than the 800% for the weekends inactivity. Is there a way to deal with this?? I would appreciate your help guys Thanks a lot!!!