BruteForce Mitigation using only One field in login page

Question

Hello,&nbsp;If we have login page with only field for example "SSN Number" and we need to protect this login page from brute force , Is it possible?we need to verify if the user typed SSN number for example 3 times , after that F5 should block the user but I said using only one Field in the login page such as SSN number , No password will be inserted in this login page.&nbsp;We tried to use "None" for Authentication method but didn't achieve the goal.

nathe · Answer

MR.Freddy,&nbsp;I'm not sure you can with the Login Page configuration by default, and I haven't got up to date versions available to check if things have changed. However, I have seen this work in older versions using Data Guard. I wish I had the details to share more fully but here's an overview, which may be enough, or something which other DCers can help with and chip in on.&nbsp;Firstly, create a Data Guard configuration with a custom pattern of whatever is returned after a failed login i.e. when a user enters in an incorrect SSN Number. Enforce this on a URL, i.e. the logon page, again in the DG config. Enable the block for Data Guard in the violations list (or Alarm to test). This should block on each failed attempt.&nbsp;To allow for 3 attempts we would need to do session tracking, set the Associated Violation to Data Guard, set a blocking period and then add an IP Address Threshold for 3. Also enable block (or alarm) for the violation around disallowed IP address. &nbsp;See if this helps with your requirement, and please feedback. I must admit this was v10 or v11 about 5 years ago so forgive me for faded memory and out of date configuration advice on this one.&nbsp;HTH,&nbsp;N&nbsp;&nbsp;

mr_freddy · Answer

Hello Nathe,&nbsp;Thank you for your feedback.I am agree with you for that and we was thinking for the same but actually we want to protect the login page from brute force attack as more attackers always trying to login with fake SSN number which will lead to service outage on the application.

ivan_chernenkii · Answer

I think the best way will be to use some hidden parameter for password, and then use standard HTML Form login page for Brute Force protection

You can add such parameter via iRule (when HTTP_REQUEST) or add it into application as hidden.

Thanks, Ivan

Forum Discussion

BruteForce Mitigation using only One field in login page

3 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Mitigating OWASP API Security risks using BIG-IP

Mitigating OWASP API Security Top 10 risks using F5 NGINX App Protect

Mitigation of OWASP API Security Risk: Unsafe Consumption of API using F5 XC Platform

Mitigating OWASP API Security Risk: Mass Assignment using F5 XC Platform

Mitigating OWASP Web Application Risk: Security Misconfiguration using F5 XC Platform