Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Bot Protection marks Samsung Internet as malicious

Fredrik_Daniels
Altostratus
Altostratus

‎10-May-2022 01:58

Hello,

We have discovered that after Samsungs latest upgrade of the built in "Internet" (Samsung Internet Browser) 17.0.1.69, the bot protection both in transparent and blocking mode adds the cookie who is responsible for marking the device as malicious. 

When logging, we can see that first visit it is just a regular device. No bot, no malicious activity and so on. Next refresh of the site will immediately make a Connection Reset. Dumping pcap shows that handshake is done and Application data begins then it stops. 

With that said. If you remove this cookie, everything works fine again. It is a TS****** with a expire date seven weekdays of the first visit. Then you need to clear cache and cookies on the device to get it to happen again. 

We are still looking for a solution, adding the browsers user agent will not fix the issue for us. 

Hope that this will help anybody in our seat looking for a solution. I will keep you updated if we find anything that will solve the issue,

Fredrik

Labels:
0 Kudos
10 REPLIES 10

Nikoolayy1
MVP
MVP

‎10-May-2022 02:08 - edited ‎10-May-2022 02:11

Why don't you add the bot as an exception "Mitigation Settings Exceptions" or Whitelist the source IP for the Bot protection:

 

https://support.f5.com/csp/article/K42323285

 

0 Kudos

Fredrik_Daniels
Altostratus
Altostratus
In response to Nikoolayy1

‎10-May-2022 02:24

Hi!

We have done this both with contains SamsungBrowser/17.0 and added it as exception. We can't whitelist on IP unfortunately. I will however look into the article again if i have missed something.

Best regards, 

0 Kudos

Nikoolayy1
MVP
MVP
In response to Fredrik_Daniels

‎10-May-2022 02:28 - edited ‎10-May-2022 02:39

Your Bot Protection is the F5 Advanced WAF (ASM) Bot protection right? You do not use Shape security with F5 Big-IP?

 

Also from some bugs in the bug tracker you may try stopping the browser verification or Change browser_legit_min_score_drop sys db to be higher value.

 

https://cdn.f5.com/product/bugtracker/ID693782.html

 

https://cdn.f5.com/product/bugtracker/ID745531.html

 

https://cdn.f5.com/product/bugtracker/ID742852.html

 

As I see many issues with different browsers better open F5 case so they can add this to the Bug tracker for Samsung.

0 Kudos

Fredrik_Daniels
Altostratus
Altostratus
In response to Nikoolayy1

‎10-May-2022 02:39

Yes, WAF Bot protection.

Thing is, i don't understand why its happening when policys also are in transparent mode. 

0 Kudos

Nikoolayy1
MVP
MVP
In response to Fredrik_Daniels

‎10-May-2022 02:50 - edited ‎10-May-2022 02:51

The Bot protection is seperate from the F5 ASM security policies and they being in Transperant mode does not affect the Bot Protection as the Bot Protection has its own Transperant mode:

 

https://support.f5.com/csp/article/K42323285

 

Maybe you need to test if the two bot protection profiles are in transperant mode if the issue will be still there as in Transperant mode the Bot is still marked and maybe the othe Bot Protection is stopping it.

0 Kudos

Fredrik_Daniels
Altostratus
Altostratus
In response to Nikoolayy1

‎10-May-2022 03:30

Yes, ASM policys and bot protecton are both in transparent. 




0 Kudos

Fredrik_Daniels
Altostratus
Altostratus
In response to Nikoolayy1

‎10-May-2022 02:46

Thanks Nikoolay for all tips and links! We are having a case opening soon, luckily this browser (at least in our company) is not widely used.



Best regards, 

0 Kudos

Nikoolayy1
MVP
MVP
In response to Fredrik_Daniels

‎10-May-2022 05:05 - edited ‎10-May-2022 05:05

Yes better see with F5 TAC but it is strange if you are still blocked in everything in transperant mode as it seems as another bug except if for some reason it is the DDOS profile blocking you by device id or the Bot protection has created a dynamic ddos signature or "DoS Attack Mitigation Mode" on the Bot profile to activate DDOS profile:

 

https://community.f5.com/t5/technical-forum/device-id-bot-dos-profile/td-p/265837?nocache=https:%2F%...

 

https://clouddocs.f5.com/training/community/ddos/html/class7/bados/module4.htmlhttps://techdocs.f5.c...

 

https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/configuring-bot-defense...

 

Fredrik_Daniels
Altostratus
Altostratus
In response to Nikoolayy1

‎10-May-2022 05:47

Looks like this Solved: Device ID - Bot/Dos Profile - DevCentral (f5.com) Device ID Mode : Generate After Access solves the issue. 🙂 

After that change, i can also see the logs. Bot protection thinks this:

Fredrik_Daniels_0-1652186857776.png


We are having a case with TAC. See if we can solve this.

Thanks for all help!

Best regards, 

Fredrik

 

Nikoolayy1
MVP
MVP
In response to Fredrik_Daniels

‎13-May-2022 03:17 - edited ‎13-May-2022 03:19

Hello, It is good that now you can stop the Bot protection from blocking the traffic in transperant mode so we can consider one of the issues solved. If possible mark the question as completed but after F5 has provided the fix for the bad bot categorization share it with us.

0 Kudos
Copyright © 2023 Khoros, LLC