cancel
Showing results for 
Search instead for 
Did you mean: 
Shubham_Mishra
F5 Employee
F5 Employee

Introduction

This is an extension of the already published article AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part I an introductory article which highlights the configurations available for detecting and mitigating malicious user activity and includes a demonstration focused on detecting and mitigating malicious clients based on WAF security events. 

In part II of this series of articles, we will demonstrate a few more scenarios covering insights of malicious user detection and mitigation feature of F5 Distributed Cloud platform. 

 

Demonstration (Using Multi Load Balancer ML Configuration)

In this demonstration, we will set the threshold limit for failed login attempts in the app settings configuration to mark any subsequent requests as a malicious user event and apply mitigation rules to restrict access, as well as we will detect the clients based on various user identifier types provided by the F5 Distributed cloud console. 

Step1:

Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document. 

Shubham_Mishra_0-1654587654539.png

Shubham_Mishra_1-1654587672534.png

Note: Make sure to select ‘Multi Load Balancer Application’ option from ‘ML Config’ drop-down while configuring the LB. 

Shubham_Mishra_2-1654587713038.png

Step2:

Add malicious user mitigation rule to the LB  

  • In ‘Security Configuration’, ‘Select Type of Challenge’ as ‘Policy Based Challenge’, Click Configure, set malicious user mitigation settings as ‘Custom’ if the rule is already created select and apply the custom mitigation rule, Save & Exit or click on 'Create new Malicious User Mitigation', add a name, set threat level and associated actions accordingly, click continue, apply, Save & Exit. (Note: You can also configure the 'Default' malicious user mitigation settings, which has already defined mitigation rules and is a recommended setting).

Shubham_Mishra_3-1654587748314.png

Shubham_Mishra_0-1654674886364.png

Shubham_Mishra_1-1654674909660.png

Step3:

Go to Home->WAAP->Manage->AI&ML->App Settings, click ‘Add app setting’. 

Step4:

Enter a name and go to ‘AppType’ Settings section. Click ‘Add item’. 

Step5:

Click on the ‘Select App Type’ drop-down and select the app type configured in the LB while executing Step1. 

Shubham_Mishra_5-1654587812865.png

Step6:

Click ‘Configure’ for the ‘User Behavior Analysis Setting’, tune the settings as per your need. For the demonstration purpose we are setting the threshold value for Failed Login Activity to 5. 

Shubham_Mishra_6-1654587843695.png

Step7:

Apply and add the configurations and then click ‘Save and Exit’ to create the app settings object. 

Note: Identifying users uniquely on the Internet is a critical task because it aids in the creation of a perception by learning from the activities they perform on the application. 

Step8:

Go to Home->WAAP->Manage->Shared Objects->User Identifications, click ‘Add User Identification’ 

  • Add a name, click ‘Configure’ on ‘User Identification Rules’, click ‘Add Item’ 

Shubham_Mishra_7-1654587890205.png

Shubham_Mishra_9-1654587942236.png

  • Set and apply the user identifier type and add the created user identification policy to the LB. 

Shubham_Mishra_10-1654587981462.png

Step9:

Generate requests more than the configured threshold limit for failed login attempts in your application; it should return response code as 401. 

Available User Identifier Types 

By default, the user identifier type is set to ‘Client IP Address’. As in the previous article, we have already seen IP address as a client identifier. In this demo, we will set other options available, follow the steps mentioned above to generate failed login events and verify that the users are getting detected based on the configured user identification policy.  

Below are the screenshots for configured user identification rules and UI dashboards displaying the results of associated configurations:

  • Query Parameter Key 

Shubham_Mishra_11-1654588032292.png

Shubham_Mishra_12-1654588053820.png

  • HTTP Header Name 

Shubham_Mishra_0-1654588323311.png

Shubham_Mishra_1-1654588323314.png

  • Cookie Name 

Shubham_Mishra_2-1654588384123.png

Shubham_Mishra_3-1654588384124.png

  • Client Autonomous System 

Shubham_Mishra_4-1654588427864.png

Shubham_Mishra_5-1654588427866.png

  • TLS Fingerprint 

Shubham_Mishra_6-1654588474500.png

Shubham_Mishra_7-1654588474501.png

  • Client IP and HTTP Header Name 

Shubham_Mishra_8-1654588514661.png

Shubham_Mishra_2-1654675856881.png

  • Client IP and TLS Fingerprint 

Shubham_Mishra_10-1654588554759.png

Shubham_Mishra_11-1654588554762.png

 

Conclusion

In this article, we demonstrated how simple it is to configure your LB to respond to authentication attacks by detecting them using various client identification types and mitigating them at the same time with a very low risk of false positives.

 

For further information or to get started

  • F5 Distributed Cloud Platform (Link 
  • F5 Distributed Cloud WAAP Services (Link) 
Version history
Last update:
‎23-Jun-2022 09:17
Updated by: