cancel
Showing results for 
Search instead for 
Did you mean: 

Brute Force protection for single parameter like OTP

Viv_Richards
Cirrostratus
Cirrostratus

Brute Force Protection for single parameter

This can be achieved with the help of ASM Data Guard & Session tracking

1. Log all request & response to record valid OTP request & invalid OTP request/response. This is just to record request & response. After recording request & response, you should remove Log All request profile from virtual server.  
2. From invalid OTP response, identify unique response
For eg - FAILED or Mobile number not registered
3. Configure this unique response in Data Guard Custom pattern so that firewall will track session based on that

4. Configure URL which sends OTP parameter at Data Guard Protection Enforcement Enforced URLs

Viv_Richards_0-1657172748869.png

5. Now go to session tracking, Enable Session Awareness, Track Violations and Perform Actions, mention violation detection period 60 seconds. you can change this time as per recommendation by your security team
6. In session tracking, go to Delay Blocking , enable Session threshold to 3 violation. It means 3 violations in 60 seconds will be ignored or 3 violations in 60 seconds will not be blocked
7. Enable IP Address threshold to 20 , it means if any IP will be blocked after 20 violations
8. In Associated Violations, Select Data Guard:Information leakage detected

Viv_Richards_1-1657172878879.png

 

4 REPLIES 4

Nice ! This seems to also be used for Guessing the PIN code attack protection!

Parham_EJ__F5
F5 Employee
F5 Employee

Many Thanks for sharing this scenario!

But, it seems that by configuring "Session Tracking" Feature in this manner, We are restricted with regards to the "Associated Violations" in Delay Blocking Section!

Because, we are obliged to filter JUST "Data Guard", and if we want to add other type of Violations, the "Violation Counter" does NOT work properly to count the exact number of JUST "Data Guard" Violations... 

Maybe in the future there will be more options but still with the Data Guard many DLP or brute force attacks can be stopped that a normal WAF rule  will not block them as they are not a real Web attack that has bad request packet by blocking/rate limiting the session for the attacker Ip address/user/Device ID that generates them.

LiefZimmerman
Community Manager
Community Manager

@Viv_Richards 
We decided to nominate this forum post up to a CrowdSRC article.

If anyone has more comments / ideas / thoughts on this excellent contribution please do so here: 
          https://community.f5.com/t5/crowdsrc/brute-force-protection-for-single-parameter-like-otp/ta-p/29861...
I will disable replies on this thread going forward.

CrowdSRC articles are great for this type of content because they...

  • allow the author to edit the content over time, as things change (version history)
    Forum Posts, on the other hand, are locked after only a couple of hours by design.
  • Community Admins can also do some things with CrowdSRC articles such as: Feature / Highlight on the homepage, collate like-for-like content into series' (future feature), add Co-Contributors if/where necessary, etc...

Thanks for your excellent contributions to our community.
Lief

 

 

------
Lief ZimmermanLiefZimmerman | @LiefZF5 | DevCentral Community Manager