Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

ASM Policy that could read response and block source IP

sim2022
Nimbostratus
Nimbostratus

‎10-Nov-2022 09:33

Hi All

Is there a WAF Policy that could be configured to read the response sent by my webserver to the user and block the source IP if the response has "xx" number of unauthenticated occurrences within a specific period of time from the same source IP?

Was wondering if this type of configuration would auto-block the source IP that is attempting an ongoing password-spraying or credential-stuffing attack on the website, considering the ReCaptcha is somehow bypassed.

Does F5's ASM have this capability?

 

Thanks

Sam

 

Labels:
0 Kudos
1 REPLY 1

Mohamed_Ahmed_Kansoh
MVP
MVP

‎10-Nov-2022 10:42

Hi @sim2022 , 

> To log server responses , you can do as  below Article : 

 https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/14.h...

> to block number of specific of unauthenticated  trials at specific time slots , configure a brute force attack protection , follow the below articles: 

- https://support.f5.com/csp/article/K54335130

- https://support.f5.com/csp/article/K18650749

Note : you have to define your "login page" , with its parameters well , after that proceed in brute force protection profile. 

> I recommend to use brute force protection profile because you able to monitor and see unauthenticated user behavior well , also collect statistics if there is a brute force attack from ASM reporting.

I hope this helps you. 

Regards 

_______________________
Regards
Mohamed Kansoh
Copyright © 2023 Khoros, LLC