on 24-Apr-2020 10:30
Brute Force attack is where attacker tries to find the password of users quickly, there are times when attacker is not in hurry and do make his attack go under the radar, using very slow brute force attack. It can not be detected by detection criteria of Brute force protection feature of Advanced WAF/ASM reason being if you try to tweak the setting to catch slow brute force attack then its very hard for ASM/Advance WAF to distinguish between attack and legitimate user login atttempt. We may use other protection available in ASM/Advance WAF to protect from Slow brute force attack.
In this chapter to protect from Slow brute force attack we will use TLS signature generated by behavioural DOS.
As a general rule, instead of waiting for attack and then take necessary action, We should always be proactive in defending attack.
Preparation for mitigating slow Brute force attack.
Slow brute force is very hard to detect, So most important thing to protect application from slow brute force attack is Advanced WAF/ASM should know the normal traffic.
For that we can use Behavioral & Stress-based (D)DoS Detection option under DoS Protection profile of Advance WAF/ASM.
For Configuring DoS Protection profile, to protect against slow brute force attack using TLS fingerprinting follow the below mentioned steps.
Important: For BIG-IP ASM/Advance WAF 14.1.0, you can access the TLS fingerprinting signatures configuration section only when you had previously selected Use Legacy Application Dos view in the HTTP Properties configuration pop-up.
How do we know ASM is ready and is 100% confident about the normal traffic?
For example admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning
vs./Common/BF-Test+/Common/Brute-Force-test.info.learning:[0, 0, 0, 0]
A. baseline_learning_confidence:
B. learned_bins_count:
C. good_table_size:
D. good_table_confidence:
You may run the command again if the Behavioral DoS is still learning Still learning
admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning
Behavioural DOS feature is based on learning analysing all traffic to the web application, building baselines, and then identifying anomalies when server stress is detected. So its important to know when server is stress and how to check the server street level.
To find out the stress level Go to Security ›› DoS Protection ›› Protected Objects (This option is only available if you have AFM Provisioned)
Find out the VS for which you would like to check the status and Click the arrow below Attack status. Once you click you will detailed informed is displayed on the screen, which includes Server Stress
To check the Server stress using CLI you may run below mentioned command.
admd -s vs./Common/<VSname>+/Common/<DOSprofilename.sig.health>
Server Stress value Range:
for example
admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.sig.health
Once the output of below command shows appropriate values (as mentioned above) which tells ASM is confident, ASM is ready to differentiate between normal and attack traffic.
Below output shows ASM is 100% confident
admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning
Slow brute Force attack has been reported
To check the status of attack and Server stress level. Go to Security ›› DoS Protection ›› Protected Objects (This option is only available if you have AFM Provisioned)
Find out the VS for which you would like to check the status and Click the arrow below Attack status.
Once you click you will see detailed informed is displayed on the screen.
For example as show below Server Stress is 100 now.
If AFM is not provisioned you may run below mentioned command to check if the server is under stress.
admd -s vs./Common/<VSname>+/Common/<DOSprofilename.sig.health>
Server Stress value Range:
For example
admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.sig.health
You may continue to monitor the output using command line or GUI to find out if attack has started.
To check if attack has started you may check using command line. If the value is 0,0 then there is no attack if the value is 1 VS is under attack
admd -s vs./Common/<VSname>+/Common/<DOSprofilename.info>
for example:
admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info
Using the GUI Go to Security ›› DoS Protection : Protected Objects
Note: (To get this view AFM should be provisioned )
If you continue to monitor you may notice that BADOs has started generating signature. But accuracy in start will not be 100% and it may take some time to become 100% accurate.
Using CLI
admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info
Using GUI Security ›› DoS Protection ›› Protected Objects (This option is only available if you have AFM Provisioned)
If the Dynamic Signature status is unready the signature is not ready and does not have 100% accuracy.
Note: (To get this view AFM should be provisioned, If AFM is not provisioned you may continue monitor using CLI )
Once signature is ready Dynamic signature status will change as shown below.
Note: (To get this view AFM should be provisioned, If AFM is not provisioned you may continue monitor using CLI )
Once the signature’s accuracy is 100%, It will be available under Security ›› DoS Protection : Signatures >> Dynamic. As shown below.
You may notice in above screenshot that Accuracy of signature is 100% where as approval status is Unapproved, If you want to use only approved signature (which we have used in this case) you need to click the check box infront of the signature, as soon as you will enable check box a window on right side will pop up and you may enable check box in-front of Approved and then press update to manually approve the signature.
Note: User approved signatures only under Behavioral & Stress-based (D)DoS Detection in the DOS profile should be enable.
Once you approve the signature, Signature approval state will change to manually approved as shown below
You may also check DOS logs by checking Security ›› Event Logs ›› DoS ›› Application Events
Another Graphical view option for DOS can be checked by going to Security ›› Reporting : DoS : Dashboard
If you want to check a specific attack ID then please on right side under Attack IDs find the attack ID and click on it. As soon as you will click on it page will show the data related to specific attack ID as shown below.
As shown above during attack, TLS signature generate by Behavioural DOS is mitigating the attack and normal requests are still passing through using Behavioural attack signature.
Note:
By default, when the system identifies signature pattern anomalies, it silently drops the connection. You can change the mitigation mode and force the system to send a reset (RST) when the traffic matches a signature pattern. To change the mitigation mode from drop to reset, perform the following steps:
1. Log in to tmsh by typing the following command:tmsh
2. To change the mitigation mode to reset, type the following command:
modify sys db adm.mitigation.accelerated.signatures.drop.mode value reset
Note: If you want to generate HTTP signature using BADOS instead of TLS signature in DOS protection profile you can select accelerated signature and rest of the steps will remain same.