We have discovered that after Samsungs latest upgrade of the built in "Internet" (Samsung Internet Browser) 220.127.116.11, the bot protection both in transparent and blocking mode adds the cookie who is responsible for marking the device as malicious.
When logging, we can see that first visit it is just a regular device. No bot, no malicious activity and so on. Next refresh of the site will immediately make a Connection Reset. Dumping pcap shows that handshake is done and Application data begins then it stops.
With that said. If you remove this cookie, everything works fine again. It is a TS****** with a expire date seven weekdays of the first visit. Then you need to clear cache and cookies on the device to get it to happen again.
We are still looking for a solution, adding the browsers user agent will not fix the issue for us.
Hope that this will help anybody in our seat looking for a solution. I will keep you updated if we find anything that will solve the issue,
10-May-2022 02:08 - edited 10-May-2022 02:11
Why don't you add the bot as an exception "Mitigation Settings Exceptions" or Whitelist the source IP for the Bot protection:
We have done this both with contains SamsungBrowser/17.0 and added it as exception. We can't whitelist on IP unfortunately. I will however look into the article again if i have missed something.
10-May-2022 02:28 - edited 10-May-2022 02:39
Your Bot Protection is the F5 Advanced WAF (ASM) Bot protection right? You do not use Shape security with F5 Big-IP?
Also from some bugs in the bug tracker you may try stopping the browser verification or Change browser_legit_min_score_drop sys db to be higher value.
As I see many issues with different browsers better open F5 case so they can add this to the Bug tracker for Samsung.
Yes, WAF Bot protection.
Thing is, i don't understand why its happening when policys also are in transparent mode.
10-May-2022 02:50 - edited 10-May-2022 02:51
The Bot protection is seperate from the F5 ASM security policies and they being in Transperant mode does not affect the Bot Protection as the Bot Protection has its own Transperant mode:
Maybe you need to test if the two bot protection profiles are in transperant mode if the issue will be still there as in Transperant mode the Bot is still marked and maybe the othe Bot Protection is stopping it.
Yes, ASM policys and bot protecton are both in transparent.
Thanks Nikoolay for all tips and links! We are having a case opening soon, luckily this browser (at least in our company) is not widely used.
10-May-2022 05:05 - edited 10-May-2022 05:05
Yes better see with F5 TAC but it is strange if you are still blocked in everything in transperant mode as it seems as another bug except if for some reason it is the DDOS profile blocking you by device id or the Bot protection has created a dynamic ddos signature or "DoS Attack Mitigation Mode" on the Bot profile to activate DDOS profile:
Looks like this Solved: Device ID - Bot/Dos Profile - DevCentral (f5.com) Device ID Mode : Generate After Access solves the issue. 🙂
After that change, i can also see the logs. Bot protection thinks this:
We are having a case with TAC. See if we can solve this.
Thanks for all help!
13-May-2022 03:17 - edited 13-May-2022 03:19
Hello, It is good that now you can stop the Bot protection from blocking the traffic in transperant mode so we can consider one of the issues solved. If possible mark the question as completed but after F5 has provided the fix for the bad bot categorization share it with us.