cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

What is F5 ASM conviction and can it be used for configuring custom URL honey pot trap?

I see the feature conviction can be triggered in an irule but can it be done also in the ASM policy? Also can the honey pod traps be configured to send specific URL for the honey pod server or this is something that the ASM does automatic and sends custom URLs that target things on the ASM, so the ASM can detect attacks or the ASM sends the URL of an F5 web based honey pod server ?

 

 

https://clouddocs.f5.com/api/irules/ASM__conviction.html

 

 

 

This feature seems like the Citrix ADC bot trap url but there the trap url can be configured. This is my question if f5 ASM/WAF has options to send selected honey pod trap urls with javascript injection to bot devices or hackers?

1 ACCEPTED SOLUTION

This became indeed my Sunday entertainment. I came up with two use cases, which I believe are good:

  1. Brute Force / Logon Page protection > 302 redirect the malicious actor to a fake site, trick him/her to believe he/she had a successful login. Might be an airgapped copy of your real site. Analyse the malicous actors movement on the fake site.
  2. Bot Defense > e.g. Bot does a mass sign up on a loyalty program. Make a (slow loading) honey page to trick the bot into believing that it succesfully signed up. Let the hacker exhaust his/her resources.

 

I'd not use honeypages for each and everything. Hosting them requires extra resources, security measures and time effort.

View solution in original post

6 REPLIES 6

From what I read maybe this is related to F5 shape Security behavioral analysis and ir maybe redirecys bad requests to their honey pot and maybe we can't use our honey pot url?

Hello Daniel Wolf have seen this feature in the F5 ASM/Adv WAF as there is not a lot of documentation for it?

 usually I do feel confident to answer questions regarding Web Application Firewall. I was looking into your question too - I couldn't come up with an answer to this question. At least not for the iRules command.

 

You can configure custom Honeypot pages for Security Polices / Brute Force Attack Prevention and for Bot Defense profiles. I have learned a lot about Honeypots from Chris Sanders' book "Intrusion Detection Honeypots", but I never configured a honeypage on BIG-IP. Usually I use Blocking Pages or sometimes Captchas (though I don't like them).

A good honeypage could probably help you to gather more intelligence about the attacker.

Might be a nice Sunday project 🙂

 

My gut feeling - if you want Bot Defense and Credential Stuffing Protection the best results you will get from the Shape products.

 

Yes but from your reply I see that it probably can not be done with F5 ASM using javascript injection to redirect to a custom URL for the honey pot?

 

 

 

I found the custom honey pages you are mentioning ( https://support.f5.com/csp/article/K18650749 and https://support.f5.com/csp/article/K11412315 ), thanks for the idea. With the custom response pages maybe you are suggesting for me to use and external server for the response pages that will be the honey pot as mentioned in https://support.f5.com/csp/article/K7825 ?

This became indeed my Sunday entertainment. I came up with two use cases, which I believe are good:

  1. Brute Force / Logon Page protection > 302 redirect the malicious actor to a fake site, trick him/her to believe he/she had a successful login. Might be an airgapped copy of your real site. Analyse the malicous actors movement on the fake site.
  2. Bot Defense > e.g. Bot does a mass sign up on a loyalty program. Make a (slow loading) honey page to trick the bot into believing that it succesfully signed up. Let the hacker exhaust his/her resources.

 

I'd not use honeypages for each and everything. Hosting them requires extra resources, security measures and time effort.

Thanks. I was thinking on using iRule ASM or BOT events like IN_DOSL7_ATTACK

or ASM_REQUEST_DONE or BOTDEFENSE_ACTION

to trigger redirects with HTTP::redirect

or returning javascript like in K7825 with HTTP::respond but better use the native functions that you mentioned.