cancel
Showing results for 
Search instead for 
Did you mean: 
Shubham_Mishra
F5 Employee
F5 Employee

Introduction 

As people embraced the Internet as a part of their daily lives, businesses all over the world discovered an easier way to reach a large customer base that is not restricted by geographical boundaries. 

While that is important, it has also provided an open platform for malicious users to look for potential security loopholes in order to break into the system and cause severe damage. 

As a result, safeguarding business applications from such malicious user events is extremely critical. 

F5 Distributed Cloud WAAP (Web Application and API Security) offers an AI/ML-based solution for monitoring such security events as well as the means to mitigate them. 

In this article, we will demonstrate a few sample test scenarios in which we will generate malicious user events and monitor them to confirm that those events are being detected by F5 Distributed Cloud’s WAAP AI/ML solution. 

 

Configuration 

There are two ways to enable malicious user detection on F5 Distributed Cloud WAAP, depending on if the application being protected is being exposed through a single Load Balancer or through multiple Load Balancers: 

  1. Using Single Load Balancer ML configuration, appropriate for applications exposed on a single Load Balancer.
  2. Using Multi Load Balancer ML configuration, appropriate in scenarios where services belonging to the same Application are exposed on different Load Balancers. The AI/ML engine will correlate the events on all Load Balancers belonging to a single Application to enhance its insights.

Using Single Load Balancer ML configuration: 

In this mechanism, detection is enabled as part of the Load Balancer configuration and its insights are scoped to the Load Balancer on which it is configured. 

Using Multi Load Balancer ML configuration: 

In this mechanism, detection is enabled as part of the app type configuration and its insights are derived from all the LBs configured with the same app type label. 

In both of the mentioned ways, detection is dependent on the ML configuration derived from the app settings object, with the difference that in Single Load Balancer ML config values are not configurable and are set to default, whereas in Multi Load Balancer ML config values can be configured according to the need. 

Follow the documentation for step-by-step configuration instructions 

 

Demonstration

Below are a few sample test scenarios. (Note: The ML configuration for each scenario has been chosen for demo purposes. Similar results can be achieved by enabling detection in either of the two ways mentioned above).

At the time of testing SW version is crt-20220412-1546.

Malicious user detection using Single Load Balancer ML config

Scenario1: Forbidden Access Attempts

Step1: Enable malicious user detection using Single Load Balancer ML config as mentioned in the document.

Step2: Create a service policy to deny access based on LOW ‘ip-trustscore’ (i.e., High Risk IP) and add it to the Load Balancer.

  • From the Console homepage, click Web App & API Protection.
  • Click Manage -> Service Policies -> Service Policies.
  • Click Add service policy name it, In the Rules section, from the Select Policy Rules menu, select Custom Rule List.

Shubham_Mishra_0-1651065880919.png

Shubham_Mishra_2-1651065911307.png

  • Click Configure & Add Item.
  • In the Name field, enter a name for this new rule & In the Rule Specification field, click Configure.
  • Set Action as ‘Deny’, In the Clients section, select Group of Clients by Label Selector from the Client Selection menu.
  • From the Selector Expression menu, click Add label.
  • Select the reputation.ves.io/ip-trustscore label selector.
  • Select the IN operator.
  • Select from the three options available (To block IP addresses that pose the highest risk, select LOW), Add rule.

Shubham_Mishra_3-1651065925730.png

  • Create a default rule to allow all other IP addresses.

Shubham_Mishra_4-1651065944947.png

  • From the Console homepage, Go to Load Balancers->Manage->Load Balancers->HTTP Load Balancers, Select Manage Configuration as an Action to your LB and click Edit Configuration.

Shubham_Mishra_5-1651065987674.png

Shubham_Mishra_6-1651065992994.png

Shubham_Mishra_7-1651065999271.png

  • Go to Security Configuration, In Service Policies select ‘Apply Specified Service Policies’ from the drop down.
  • Click Configure and add the service policy created, Apply, Save & Exit.

Shubham_Mishra_8-1651066016012.png

Step3: Generate 20+ requests (press refresh button in the browser) in a minute from Tor browser (Tor, short for The Onion Router, is free and open-source software for enabling anonymous communication).

Step4: Monitor Security and Malicious User events (Go to WAAP->Apps & APIs->Security, select your LB).

Shubham_Mishra_9-1651066031175.png

Shubham_Mishra_10-1651066038846.png

Scenario2: WAF Security Event

Step1: Enable malicious user detection using Single Load Balancer ML config as mentioned in the document.

Step2: Create an app firewall rule and add it to the Load Balancer.

  • Go to WAAP->Manage->App Firewall and Click on Add App Firewall.

Shubham_Mishra_11-1651066063050.png

  • Add name and customize the fields as needed, Save & Exit.

Shubham_Mishra_12-1651066077965.png

  • Go to Load Balancers->Manage->Load Balancers->HTTP Load Balancers, Select Manage Configuration as an Action to your LB and click Edit Configuration. (For screenshots, refer scenario1 mentioned above).
  • Go to Security Configuration, In Select Web Application Firewall (WAF) Config, Select App Firewall & add the created firewall rule, Save & Exit.

Shubham_Mishra_13-1651066098613.png

Step3: Generate XSS attack (20+ requests in a minute) e.g., https://<domain>?a=<script>

Step4: Monitor the Security and Malicious User events (Go to WAAP->Apps & APIs->Security, select your LB).

Shubham_Mishra_14-1651066116279.png

Shubham_Mishra_15-1651066121660.png

Malicious user detection using Multi Load Balancer ML configuration

Scenario1: Failed Login Attempts

Step1: Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document.

Step2: In app settings object configuration, include failed login activity choice and set the login failure threshold value to 5, Apply, Save & Exit.

Shubham_Mishra_16-1651066140897.png

Step3: Do more than 5 failed login attempts in your application; it should return response code as 401.

Step4: Monitor the Security and Malicious User events (Go to WAAP->Apps & APIs->Security, select your LB).

Shubham_Mishra_17-1651066154576.png

Shubham_Mishra_18-1651066159121.png

Scenario2: IP Reputation (Detecting activities from High-Risk IPs)

Step1: Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document.

Step2: In app settings object configuration, include IP Reputation choice. Apply, Save & Exit.

Shubham_Mishra_19-1651066179055.png

Step3: Generate 20+ requests in a minute (press refresh button in the browser) from Tor browser.

Step4: Monitor the Security and Malicious User events (Go to WAAP->Apps & APIs->Security, select your LB).

Shubham_Mishra_20-1651066191957.png

Shubham_Mishra_21-1651066196629.png

 

Conclusion

As we can see from the demonstration, the AI/ML solution offered by F5 Distributed Cloud WAAP for monitoring malicious user activities is able to detect such events successfully. We can conclude that by enabling and configuring the malicious user detection feature according to your needs, you can effectively detect and carry out mitigation steps to enhance the security of the end applications to a great extent. 

For further information or to get started: 

  • F5 Distributed Cloud Platform (Link) 
  • F5 Distributed Cloud WAAP Services (Link) 
Version history
Last update:
‎12-May-2022 08:22
Updated by: