Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

HTTP Brute Force Mitigation Playbook: Slow Brute Force Protection Using Behavioural DOS - Chapter 6

Dharminder
F5 SIRT
F5 SIRT

on ‎24-Apr-2020 10:30

Brute Force attack is where attacker tries to find the password of users quickly, there are times when attacker is not in hurry and do make his attack go under the radar, using very slow brute force attack. It can not be detected by detection criteria of Brute force protection feature of Advanced WAF/ASM reason being if you try to tweak the setting to catch slow brute force attack then its very hard for ASM/Advance WAF to distinguish between attack and legitimate user login atttempt. We may use other protection available in ASM/Advance WAF to protect from Slow brute force attack.

In this chapter to protect from Slow brute force attack we will use TLS signature generated by behavioural DOS.

But first: Benefits, Limitation and Requirement.

Benefits

  • Benefit of using TLS fingerprint: Good and bad Clients can be differentiated based on SSL handshake.
  • Once the Advance WAF/ASM is 100% confident user does not have to do anything to find out unusual/attack traffic pattern.
  • This can be also used to protect mobile application as it does not use Javascript.

Limitations

  • To get TLS fingerprinting signature using BADOS legitimate traffic should be learned by Advanced WAF/ASM
  • On ASM, Behavioural DOS can be configured on max 2 virtual servers, where as on Advanced WAF, Although there is no license limitation of attaching DOS profile with BADOS enable to Virtual server but it is not recommended to configure more then 70 BADOS enabled Virtual server per box.

Requirements

  • ASM/Advanced WAF license.
  • Appropriate rights to access/make changes from GUI and command line.
  • Some of the reporting is available only if AFM is provisioned in addition to the above mentioned modules. (If AFM is not provisioned you can still find the information using CLI)

Proactiveness

As a general rule, instead of waiting for attack and then take necessary action, We should always be proactive in defending attack.

Preparation for mitigating slow Brute force attack.

Slow brute force is very hard to detect, So most important thing to protect application from slow brute force attack is Advanced WAF/ASM should know the normal traffic.

For that we can use Behavioral & Stress-based (D)DoS Detection option under DoS Protection profile of Advance WAF/ASM.

For Configuring DoS Protection profile, to protect against slow brute force attack using TLS fingerprinting follow the below mentioned steps.

Important: For BIG-IP ASM/Advance WAF 14.1.0, you can access the TLS fingerprinting signatures configuration section only when you had previously selected Use Legacy Application Dos view in the HTTP Properties configuration pop-up.

  1. Go to Security  ›› DOS Protection ›› Protection Profiles ››  click create.
  2. Enter the profile name as per your requirement, select the family as HTTP and press Commit Changes to System
  3. Click on newly shown HTTP and then click configure settings for HTTP Family settings.
  4. Next click on Use Legacy Application DOS View
  5. Go to Behavioral and stress-based detection under Application security.
  6. Change operation mode to blocking and Threshold mode to automatic.
  7. Under Behavioral Detection and Mitigation enable Request signature detection along with TLS fingerprinting signatures and Use approved signatures only (In case you don’t want to use unapproved signature).
  8. Leave all the settings unchanged and click save and finished. (Make Sure Bad actors behavior detection is unchecked as we want to use TLS signature)
  9. Select Mitigation to Standard or as per requirement from available options and then Click save
  10. Next apply the newly created dos profile to the appropriate https virtual server.
  11. Go to Local Traffic > Virtual Servers.
  12. Select the name of the HTTPS virtual server.
  13. Go to Security tab and select Policies.
  14. For DoS Protection Profile, select Enabled.
  15. For Profile, select the DoS profile created in above steps.
  16. Select the Update button.
  17. Let the normal traffic pass through the VS. This will allow ASM to learn the traffic.

How do we know ASM is ready and is 100% confident about the normal traffic?

  1. Login to cli of BIGIP
  2. Run command “admd -s vs./Common/<VSname>+/Common/<DOSprofilename.info.learning>”

For example admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning

  1. You will see output as similar to the one mentioned below.

  vs./Common/BF-Test+/Common/Brute-Force-test.info.learning:[0, 0, 0, 0]

  1. Once the traffic starts passing through vs these values will increase. Each value has its own meaning as described below.

A. baseline_learning_confidence:

  • Description: in % how confident the system is in the baseline learning.
  • Desired Value: > 90%

B. learned_bins_count:

  • Description: number of learned bins
  • Desired Value: > 0

C. good_table_size:

  • Description: number of learned requests
  • Desired Value: > 2000

D. good_table_confidence:

  • Description: how confident, as %, the system is in the good table
  • Desired Value: Must be 100 for signatures

You may run the command again if the Behavioral DoS is still learning Still learning

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning

0151T000003lleCQAQ.png

Behavioural DOS feature is based on learning analysing all traffic to the web application, building baselines, and then identifying anomalies when server stress is detected. So its important to know when server is stress and how to check the server street level.

To find out the stress level Go to Security  ››  DoS Protection ››  Protected Objects (This option is only available if you have AFM Provisioned)

Find out the VS for which you would like to check the status and Click the arrow below Attack status. Once you click you will detailed informed is displayed on the screen, which includes Server Stress

0151T000003lleWQAQ.png

To check the Server stress using CLI you may run below mentioned command.

admd -s vs./Common/<VSname>+/Common/<DOSprofilename.sig.health>

Server Stress value Range:

  • If there is no traffic server value is 0.5
  • If server functions properly value is between (0,1)
  • Value higher then 1 is considered as load and mitigation may be applied

for example

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.sig.health

0151T000003llelQAA.png

Once the output of below command shows appropriate values (as mentioned above) which tells ASM is confident, ASM is ready to differentiate between normal and attack traffic.

Below output shows ASM is 100% confident

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning

0151T000003llevQAA.png

Slow brute Force attack has been reported

To check the status of attack and Server stress level. Go to Security  ››  DoS Protection ›› Protected Objects  (This option is only available if you have AFM Provisioned)

Find out the VS for which you would like to check the status and Click the arrow below Attack status.

Once you click you will see detailed informed is displayed on the screen.

For example as show below Server Stress is 100 now.

0151T000003lleXQAQ.png

If AFM is not provisioned you may run below mentioned command to check if the server is under stress.

admd -s vs./Common/<VSname>+/Common/<DOSprofilename.sig.health>

Server Stress value Range:

  • If there is no traffic server value is 0.5
  • If server functions properly value is between (0,1)
  • Value higher then 1 is considered as load and mitigation may be applied

For example

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.sig.health

0151T000003lleYQAQ.png

You may continue to monitor the output using command line or GUI to find out if attack has started.

To check if attack has started you may check using command line. If the value is 0,0 then there is no attack if the value is 1 VS is under attack

admd -s vs./Common/<VSname>+/Common/<DOSprofilename.info>

for example:

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info

0151T000003llemQAA.png

Using the GUI Go to Security  ››  DoS Protection : Protected Objects

Note: (To get this view AFM should be provisioned )

0151T000003llfAQAQ.png

If you continue to monitor you may notice that BADOs has started generating signature. But accuracy in start will not be 100% and it may take some time to become 100% accurate.

Using CLI

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info

0151T000003lleDQAQ.png

Using GUI Security  ››  DoS Protection ›› Protected Objects (This option is only available if you have AFM Provisioned)

If the Dynamic Signature status is unready the signature is not ready and does not have 100% accuracy.

Note: (To get this view AFM should be provisioned, If AFM is not provisioned you may continue monitor using CLI )

0151T000003llfFQAQ.png

Once signature is ready Dynamic signature status will change as shown below.

Note: (To get this view AFM should be provisioned, If AFM is not provisioned you may continue monitor using CLI )

0151T000003llfGQAQ.png

Once the signature’s accuracy is 100%, It will be available under Security  ››  DoS Protection : Signatures >> Dynamic. As shown below.

0151T000003llfPQAQ.png

You may notice in above screenshot that Accuracy of signature is 100% where as approval status is Unapproved, If you want to use only approved signature (which we have used in this case) you need to click the check box infront of the signature, as soon as you will enable check box a window on right side will pop up and you may enable check box in-front of Approved and then press update to manually approve the signature.

Note: User approved signatures only under Behavioral & Stress-based (D)DoS Detection in the DOS profile should be enable.

Once you approve the signature, Signature approval state will change to manually approved as shown below

0151T000003llfQQAQ.png

You may also check DOS logs by checking Security  ››  Event Logs ›› DoS ›› Application Events

0151T000003lleEQAQ.png

Another Graphical view option for DOS can be checked by going to Security  ››  Reporting : DoS : Dashboard

If you want to check a specific attack ID then please on right side under Attack IDs find the attack ID and click on it. As soon as you will click on it page will show the data related to specific attack ID as shown below.

0151T000003llenQAA.png

 

0151T000003lleoQAA.png

 

0151T000003llfUQAQ.png

0151T000003lleFQAQ.png

As shown above during attack, TLS signature generate by Behavioural DOS is mitigating the attack and normal requests are still passing through using Behavioural attack signature.

Note

By default, when the system identifies signature pattern anomalies, it silently drops the connection. You can change the mitigation mode and force the system to send a reset (RST) when the traffic matches a signature pattern. To change the mitigation mode from drop to reset, perform the following steps:

1. Log in to tmsh by typing the following command: 
tmsh

2. To change the mitigation mode to reset, type the following command:

modify sys db adm.mitigation.accelerated.signatures.drop.mode value reset

Note: If you want to generate HTTP signature using BADOS instead of TLS signature in DOS protection profile you can select accelerated signature and rest of the steps will remain same.

Version history
Last update:
‎24-Apr-2020 10:30
Updated by:
F5 SIRT
Contributors
Copyright © 2023 Khoros, LLC