Brute Force Protection for single parameter
This can be achieved with the help of ASM Data Guard & Session tracking
1. Log all request & response to record valid OTP request & invalid OTP request/response. This is just to record request & response. After recording request & response, you should remove Log All request profile from virtual server.
2. From invalid OTP response, identify unique response
For eg - FAILED or Mobile number not registered
3. Configure this unique response in Data Guard Custom pattern so that firewall will track session based on that
4. Configure URL which sends OTP parameter at Data Guard Protection Enforcement Enforced URLs
5. Now go to session tracking, Enable Session Awareness, Track Violations and Perform Actions, mention violation detection period 60 seconds. you can change this time as per recommendation by your security team
6. In session tracking, go to Delay Blocking , enable Session threshold to 3 violation. It means 3 violations in 60 seconds will be ignored or 3 violations in 60 seconds will not be blocked
7. Enable IP Address threshold to 20 , it means if any IP will be blocked after 20 violations
8. In Associated Violations, Select Data Guard:Information leakage detected
Many Thanks for sharing this scenario!
But, it seems that by configuring "Session Tracking" Feature in this manner, We are restricted with regards to the "Associated Violations" in Delay Blocking Section!
Because, we are obliged to filter JUST "Data Guard", and if we want to add other type of Violations, the "Violation Counter" does NOT work properly to count the exact number of JUST "Data Guard" Violations...
Maybe in the future there will be more options but still with the Data Guard many DLP or brute force attacks can be stopped that a normal WAF rule will not block them as they are not a real Web attack that has bad request packet by blocking/rate limiting the session for the attacker Ip address/user/Device ID that generates them.
We decided to nominate this forum post up to a CrowdSRC article.
If anyone has more comments / ideas / thoughts on this excellent contribution please do so here:
I will disable replies on this thread going forward.
CrowdSRC articles are great for this type of content because they...
Thanks for your excellent contributions to our community.