Securing Model Serving in Red Hat OpenShift AI (on ROSA) with F5 Distributed Cloud API Security
Learn how Red Hat OpenShift AI on ROSA and F5 Distributed Cloud API Security work together to protect generative AI model inference endpoints. This integration ensures robust API discovery, schema enforcement, LLM-aware threat detection, bot mitigation, sensitive data redaction, and continuous observability—enabling secure, compliant, and high-performance AI-driven experiences at scale.
Missing TABs in "Application Security" BIG-IP 17.1.1.3 - BIG-IP 15.1.7
Hello, F5 infra was recently migrated from BIG-IP 15.1.7 to BIG-IP 17.1.1.3. Unfortunately, I can no longer select some tabs in "Application Security". For exemple, "File Type" or "Header" are now missing. I spent some time trying to find something in the documentation but I had no luck. is it expected behavior ? Were they moved somewhere else in the GUI ? Regards, MLGLOBAL Live Webinar: Why DNS Global Server Load Balancing Is Necessary in 2023
This event is open to all F5 users regardless of geographic location. Date:Thursday, September 21, 2023 Time:10:00am PT | 1:00pm ET Speaker: Nico Cartron, Sr. Manager Product, F5 What's the webinar about? Most applications today are no longer hosted in central locations but in multiple clouds and environments. This allows for better service to users, but it also requires routing traffic to the closest data center. This is where DNS load balancing can offer critical support, particularly when it comes to performance and user experience. Join us for an F5 expert-led webinar to learn how and why DNS load balancing makes sense for today’s digital world – and specifically why F5 Distributed Cloud DNS Load Balancer makes the most sense for customers of F5 Distributed Cloud Services. In this webinar, we’ll cover: Get split load across compute instances Automatically detect primary site failure Automate zero touch failover Gain built-in DDoS protection and faster performance Register today, learn more. Click HereGLOBAL Live Webinar: Vulnerability Intelligence: Near Past and Distant Future
This event is open to all F5 users regardless of geographic location. Date:Thursday, August 24, 2023 Time:10:00am PT | 1:00pm ET Speaker: Sander Vinberg,Threat Research Evangelist, F5 Labs What's the webinar about? Join F5 Labs threat researcher Sander Vinberg for the latest vulnerability intelligence from F5 Labs. This talk will begin at the tactical level by exploring CVE targeting trends, including a recent focus on IoT devices. Sander will also cover the Exploit Prediction Scoring System, an open-source ML system for forecasting vulnerability exploitation. We will unpack how the system works, how F5 contributes to it, and how best to use it to provide insight into your own vulnerabilities and risks. The talk will conclude with an examination of the long-term future of vulnerability management, referencing selected findings from a recent report on the evolving CVE landscape. Through this talk, attendees will learn: Which vulnerabilities attackers are prioritizing in 2022 and early 2023 Features, strengths, and weaknesses of the Exploit Prediction Scoring System How changes to vulnerability publication may impact the future of the CVE system Register today, learn more
ImageTragick - The Tragick continues
Abstract We keep talking about the fact that ASM is an effective tool for protecting the 0-day attacks. Two years ago we were able to detect the shellshock exploitations attempts by detecting the carried commands that the shellshock was used to execute. More details are here: Mitigating the Unknown. ImageMagick ImageMagick, a very popular image editing library, has a new vulnerability which allows a code execution abusing an incorrectly parsed file format. We already wrote about ImageMagick in June because there were multiple CVEs about mishandling the MVG and SVG file formats, allowing abuse of ImageMagick based software to create and delete files, move them, and run commands, only by abusing incomplete input validation in ImageMagick’s file format. Sometime after the original CVEs another CVE showed up, allowing another attacker to execute an arbitrary shell command using the pipe character (“|”) at the start of the processed filename. CVE-2016-5118 CVE ID for the new vulnerability is CVE-2016-5118andjust like the earlier CVE-2016-3714, it may allow the attacker to remotely smuggle and run shell commands on the server. Luckily for us, ASM is great with mitigating the 0-day shell and code execution vectors and, therefore, nothing had to be reconfigured to keep our server safe from this attack. In this particular example, ASM has detected using 3 ASM signatures: echo sig_id 200003045, cat sig_id 200003065 /usr sig_id 200003060 Conclusion I believe that we have not seen the last CVE for the ImageMagick based software but ASM should be able to detect and block the exploitation attempts for the vulnerabilities that were already discovered and those which are yet to come. We will continue to follow the issue and update the signatures when needed.GHOST Vulnerability (CVE-2015-0235)
On 27 of January Qualys publisheda critical vulnerability dubbed “GHOST” as it can be triggered by the GetHOST functions ( gethostbyname*() ) of the glibc library shipping with the Linux kernel. Glibc is the main library of C language functionality and is present on most linux distributions. Those functions are used to get a corresponding structure out of a supplied hostname, while it also performs a DNS lookup if the hostname is a domain name and not an IP address. The vulnerable functions are obsolete however are still in use by many popular applications such as Apache, MySQL, Nginx and Node.js. Presently this vulnerability was proven to be remotely exploited for the Exim mail service only, while arbitrary code execution on any other system using those vulnerable functions is very context-dependent. Qualys mentioned through a security email list, the applications that were investigated but found to not contain the buffer overflow. Read more on the email list archive link below: http://seclists.org/oss-sec/2015/q1/283 Currently, F5 is not aware of any vulnerable web application, although PHP applications might be potentially vulnerable due to its “gethostbyname()” equivalent. UPDATE: WordPress content management system using xml-rpc ping back functionality was found to be vulnerable to the GHOST vulnerability. WordPress automatically notifies popular Update Services that you've updated your blog by sending aXML-RPCpingeach time you create or update a post. By sending a specially crafted hostname as paramter of xml-rpc ping back method the vulnerable Wordpress will return "500" HTTP response or no response at all after resulting in memory corruption. However, no exploitability was proven yet. Using ASM to Mitigate WordPress GHOST exploit As the crafted hostname should be around 1000 characters to trigger the vulnerability, limiting request size will mitigate the threat. Add the following user defined attack signature to detect and prevent potential exploitation of this specific vulnerability for WordPress systems. For version greater than 11.2.x: uricontent:"xmlrpc.php"; objonly; nocase; content:"methodcall"; nocase; re2:"/https?://(?:.*?)?[\d\.]{500}/i"; For versions below 11.2.x: uricontent:"xmlrpc.php"; objonly; nocase; content:"methodcall"; nocase; pcre:"/https?://(?:.*?)?[\d\.]{500}/i"; This signature will catch any request to the "xmlrpc.php" URL which contains IPv4 format hostname greater than 500 characters. iRule Mitigation for Exim GHOST exploit At this time, only Exim mail servers are known to be exploitable remotely if configured to verify hosts after EHLO/HELO command in an SMTP session. If you run the Exim mail server behind a BigIP, the following iRule will detect and mitigate exploitation attempts: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { if { ( [string toupper [TCP::payload]] starts_with "HELO " or [string toupper [TCP::payload]] starts_with "EHLO " ) and ( [TCP::payload length] > 1000 ) } { log local0. "Detected GHOST exploitation attempt" TCP::close } TCP::release TCP::collect } This iRule will catch any HELO/EHLO command greater than 1000 bytes. Create a new iRule and attach it to your virtual server.
Data Guard exeption patterns configured via tmsh.
Hello Everyone, we have enabled Data Guard in our ASM policy and it works most of the time good ;). From time to time it happen that legit account nr. is validated as credit card nr. and so is blocked. We need than to add this pattern as exception - there is no problem to add this exception via GUI , however I'd like to ask if there is option to add this pattern via tmsh ? Thank you. YGLOBAL Live Webinar: Smart Bots and Al Assisted Attacks: Are you ready?
This event is open to all F5 users regardless of geographic location. Date:Tuesday, May 23, 2023 Time:10:00am PT | 1:00pm ET What you can do when bots look and act like humans As cybersecurity defenders, we increasingly look to automation and machine learning to detect attacks and tune our defenses. But we’re not alone. Organized crime also uses automation to develop new capabilities and find new ways to attack applications — all while flying under the radar. Join our webinar to get a closer look at the modern automated methods attackers use to bypass CAPTCHAs, multi-factor authentication (MFA), client fingerprinting, and bot detection systems. We will also explore how the recent explosion in generative AI tools could be a catalyst for automating attacks and circumventing existing application defenses. In this webinar, you’ll learn: The tools and techniques attackers use to bypass bot detection How AI/ML based tools may soon be used to even better imitate human users Recommended methods for detecting and dealing with heavily automated attacks Speaker: David Warburton, Sr. Threat Research Evangelist, F5 Labs Click here to register
Protecting against DDoS attack
Dear Community, I need help from application security experts and seasoned web developers. We are getting DDoS attacks on the following requests. This attack is targetting our SMS gateway; resulting in triggerig thousands of SMSs. Please inform which kind of protections we can introduce in application level / application code level to protect against this DDoS attack. DDoS Request Sample: POST xyz.com/api/otp/asdf HTTP/1.1 Host: xyz.com Content-Length: 32 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90" Accept: application/json, text/plain, */* Authorization: *********** Accept-Language: ar Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin: http://abc.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer:http://abc.com Accept-Encoding: gzip, deflate Connection: close {"mobileNumber":"123456789"} Warm RegardsPreventing DDoS attacks on SMS URL
Dear Community, I am facing DDoS attacks on one of our application. The attacker is sending hundred of requests to a URL, which is consuming all of our SMS quota. The attack is originating from multiple IPs. Please inform how I can protect this application API from this kind of DDoS attack from appliation code level. I need help from application security experts and web developers. https://abc.comis frontend & xyz.com is backend api Sample of DDoS reqeust: POST /asdf/service/sendmobilecode HTTP/1.1 Host:xyz.com Authorization: *********** User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin:https://abc.com Referer:https://abc.com/ {"number":"91234567890"} Kind Regards
