Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

OTP Flood Attack mitigation

Jaspreetgurm
Altocumulus
Altocumulus

We have application which is sitting behind our F5 WAF, where application receiving high voulme of OTP request on server to generate OTP SMS by attacker. People receiving unwanted OTP message on their mobile.

 

I have configured an iRule which limiting the request in 3 request in 5 min max and it is working. but attacker using different ISP ip to flood the OTP request.

 

Can someone please assist here, how to mitigate such attack with help of F5 WAF policy.

 

 

 

 

9 REPLIES 9

Hi ,

 

sure. Can you explain in 3-4 sentences about the attack. As much as you know... Is it always same IP, rotating IP, always same user-agent string? Also please explain about the process of requesting an OTP.

Knowing this can help to find the right mitigation strategy for your issue.

Bonus question - do you have IP Intelligence licensed?

 

KR

Daniel

 

HI  

 

Thanks for quick reply.

 

IP rotating always, looks like at attacker setup some sort of script which has more than lakh phone numbers requesting for OTP same time.

 

So can we mitigate such attacks.

 

 

 

 

Yes, I would setup a Bot Defense profile and I'd also enable Device ID in this profile.

In this solution article you will find all settings for creating a Bot Defense profile explained.

K42323285: Overview of the unified Bot Defense profile

Additionally check out this lab guide from Agility 2021, it will give you some rough idea how to set up Bot Defense with Device ID.

https://clouddocs.f5.com/training/community/waf/html/waf241/module1-elevated-bot/lab1/lab1.html

Hey ,

 

could you mitigate the attack with a bot defense profile? In case you cannot share further details of the attack, you can DM me and I can try to help you.

 

KR

Daniel 

Hi Daniel,

 

bot profiles is already configured with device ID enabled and enforcement mode is set to transparent in system.

 

As i have verified other settings there is no brute force attack/DOS protection enabled for virtual server. The Application security policy configured with minimal protection as only few parameters are set to block or alarm. Could you please suggest which parameters should be blocked ?

 

Also could you please let me know how to collect such flood type request in application event logs to prepare report on it.

 

thanks

 

Hi,

 

so question by question - a Device ID won't be generated when the Bot Defense profile is in Transparent mode unless you set "Verification and Device-ID Challenges in Transparent Mode" to Enabled. Check if Device IDs are generated.

 

In case you have a Device ID generated you could use this Device ID in a TPS-based DOS profile.

 

I cannot tell you how to configure the parameters in the Security Policy. I practically know nothing about your application. Therefore I cannot judge what parameters there are and how to handle them.

 

You can try to find the information in Security ›› Event Logs : Bot Defense : Bot Traffic. If the AWAF identified the attacker as a bot, you will get some graphs out of it.

If you are logging All Requests in the Security Policy, maybe you can also identify some characteristics of the attack from these requests. You will also find the Device ID here.

 

KR

Daniel

 

ragunath154
Cirrostratus
Cirrostratus

use the Microservice feature under bot profile.

https://support.f5.com/csp/article/K42323285#sect3

 

either use the predefined Treat protection like login Protection,Search Protection etc or

use Custom Microservice Protection

 

set a proper threshold under automate threat detection and mitigation action .

 

other way create custom signature or bot signature which matches the attacker user agent (if it is something fissy)

 

sumitpundir
Nimbostratus
Nimbostratus

Hi,

 

Could you please help me with irule that you've configured.

 

Regards,

sumit

RiyazHussain
Nimbostratus
Nimbostratus

Hi Jaspreet

Please help sharing the irule that you have mentioned in your post which limits the request to 3 request in 5 min max