Manual Chapter : Common elements for anomaly detection

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.0.0
Manual Chapter

Common elements for anomaly detection

  1. On the Main tab, click
    Security
    Application Security
    Anomaly Detection
    Web Scraping
    .
    The Web Scraping screen opens.
  2. If you want the system to monitor behavior by browser (and collect its attributes) rather than by session, select the
    Fingerprinting Usage
    check box.
    The screen enables fingerprinting and displays the
    Suspicious Clients
    setting, which works together with the fingerprinting feature.
  3. If you plan to use fingerprinting to monitor behavior by browser (and collect its attributes) rather than by session, select the
    Fingerprinting Usage
    check box.
    The screen displays additional settings; a separate task explains how to use fingerprinting to detect web scraping.
  4. For the
    IP Address Whitelist
    setting, click the arrow to go to a screen where you can add the IP addresses and subnets from which traffic is known to be safe.
    The system adds any whitelist IP addresses to the centralized IP address exceptions list. The exceptions list is common to both brute force prevention and web scraping detection configurations.
  5. For the
    Prevention Policy
    setting, select one or more options to determine how you want the system to handle a brute force attack.
    If you enable more than one option, the system uses the options in the order in which they are listed.
    Source IP-Based Client-Side Integrity Defense
    Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious IP addresses are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. The default is disabled.
    URL-Based Client-Side Integrity Defense
    Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious URLs are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. The default is disabled.
    Source IP-Based Rate Limiting
    Drops requests from suspicious IP addresses. The system limits the rate of requests to the average rate prior to the attack, or lower than the absolute threshold specified by the IP detection TPS reached setting. The default is enabled.
    URL-Based Rate Limiting
    Indicates that when the system detects a URL under attack, Application Security Manager drops connections to limit the rate of requests to the URL to the average rate prior to the attack. The default is enabled.
  6. If you want to protect client identification data (when using Bot Detection or Session Opening detection), specify the persistence settings.
    1. Select the
      Persistent Client Identification
      check box.
    2. For
      Persistent Data Validity Period
      , type how long you want the client data to persist in minutes. The default value is
      120
      minutes.
    This setting enforces persistent storage on the client and prevents easy removal of client data. Be sure that this behavior is compatible with the application privacy policy.
    The system maintains client data and prevents removal of this data from persistent storage for the validity period specified.
  7. For
    Prevention Duration
    , type a number that indicates how long the system prevents an anomaly attack by logging or blocking requests. The default is
    1800
    seconds.
    If the attack ends before this number of seconds, the system also stops attack prevention.
  8. To ensure that web scraping violations are learned, in the Policy Building Settings area, expand
    Bot Detection
    and select
    Web scraping detected
    , if it is not already selected.