Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

what's Device ID in asm?

小白
Cirrus
Cirrus

我想知道设备ID是什么以及它是由什么组成的?比如时间,源ip,源端口……实体是什么?

_0-1674051894639.png

 

 

1 ACCEPTED SOLUTION

G-Rob
F5 Employee
F5 Employee

Device ID is an ASM / AdvWAF feature. The BIG-IP uses JavaScript to create a device ID from client. The JavaScript tries to obtain various signals from the client to retrieve attributes like the browser type and version, installed updates, installed fonts, and others. The BIG-IP stores the device ID in the TSPD101 cookie.

This information can be used for example with brute force attack prevention or web scraping protection.

More information: https://support.f5.com/csp/article/K19556739

View solution in original post

12 REPLIES 12

G-Rob
F5 Employee
F5 Employee

Device ID is an ASM / AdvWAF feature. The BIG-IP uses JavaScript to create a device ID from client. The JavaScript tries to obtain various signals from the client to retrieve attributes like the browser type and version, installed updates, installed fonts, and others. The BIG-IP stores the device ID in the TSPD101 cookie.

This information can be used for example with brute force attack prevention or web scraping protection.

More information: https://support.f5.com/csp/article/K19556739

I marked this as the Accepted Solution for you. 🙂

 @G-Rob Doesn't it have anything to do with source ip and source port?I think browser information can be forged

I do not see documentation where the source IP/port are used; but that doesn't mean that we do not use those values. I would reach out to support via ticket for more information.

I need to clarify this information ,so that I can explain to my customers.

I understand. Reach out to your F5 account team. If you're unsure who that is, please use this link: https://www.f5.com/products/get-f5#contactsales  ... sorry I couldn't help further!

thanks

As Rob says actual F5 contact is the best source.

But for your worry about forging things. Mostly everything can be forged. It is about being sure enough. There is no 100% in this.

I called, but they didn't solve my problem.

@小白 what did they tell you? 

I'm not sure if maybe @Lior_Rotkovitch could answer this?

Device ID Is a java script the create a unique identifier for the device itself.

Adv WAF / ASM uses it for few powerful features:

 

1. Session hijacking –  Act as another layer of identification above the session

The DID is regenerated every certain amount of time

 

https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-a...

https://my.f5.com/manage/s/article/K18611270

 

Lab https://f5-agility-labs-waf.readthedocs.io/en/latest/class5/module2/lab2/lab2.html

 

2. DiD for RPS anomaly

https://www.slideshare.net/liorrotkovitch/asm-bot-mitigations-v3-final-lior-rotkovitch

slide 12 illustrate the DID concept

Under DDoS profile TPS based. Device ID thresholds.

It is very useful when you have an offending source behind a NAT’d clients.

It is more accurate than IP since IP can change while the DID is persistency over IP roaming.

Thus counting RPS on DID will assist with identifying the true offending client.

Lior Rotkovitch | Senior Security Engineer – F5 SIRT

小白
Cirrus
Cirrus

thanks!