Manual Chapter : Mitigating Brute Force Attacks

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About mitigation of brute force attacks

Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, user name/password combinations to discover legitimate authentication credentials.

To prevent brute force attacks, the Application Security Manager tracks the number of failed attempts to reach the configured login URL. The system saves the information in two intervals:

History interval
Specifies the number of failed login attempts for the past hour (updated every minute).
Detection interval
Specifies the number of failed login attempts for the past minute (updated every second).

You can configure both session-based and dynamic brute force protection.

Session-based mitigation
Counts the number of failed login attempts that occur during one session, based on a session cookie. When the number of login attempts during a session exceeds the number specified, the system triggers the Brute Force: Maximum login attempts are exceeded violation, and applies the blocking policy. If the violation is set to block and too many login attempts are made, the client is blocked for a number of seconds.
Dynamic mitigation
Detects and mitigates brute force attacks based on statistical analysis of the traffic. You configure dynamic mitigation to determine when the system should consider the login URL to be under attack, and how to react to an attack. The system mitigates attacks when the volume of unsuccessful login attempts is significantly greater than the typical number of failed logins. You activate this method by setting the operation mode to either alarm or alarm and block.

Overview: Mitigating brute force attacks

You can configure the Application Security Manager to protect against brute force attacks. The system detects brute force attacks based on failed login rates. Therefore, you need to create login pages for the web applications you want to protect.

Task Summary

Creating login pages

In your security policy, you can create a login page to specify a login URL that presents a site that users must pass through to gain access to the web application. The login URL commonly leads to the login page of the web application.
  1. On the Main tab, click Security > Application Security > Sessions and Logins. The Login Pages List screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The New Login Page screen opens.
  4. For the Login URL setting, specify a URL that users must pass through to get to the application.
    1. From the list, select the type of URL: Explicit or Wildcard.
    2. Select either HTTP or HTTPS based on the type of traffic the web application accepts.
    3. Type an explicit URL or wildcard expression in the field. When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Or, you can type explicit URLs in the format /login, and wildcard URLs without the slash, such as *.php.
  5. From the Authentication Type list, select the method the web server uses to authenticate the login URL's credentials with a web user.
    Option Description
    None The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
    HTML Form The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
    HTTP Basic Authentication The user name and password are transmitted in Base64 and stored on the server in plain text.
    HTTP Digest Authentication The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
    NTLM Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
  6. In the Access Validation area, define at least one validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.
    Note: The system checks the access validation criteria on the response of the login URL only if the response has one of the following content-types: text/html, text/xml, application/sgml, application/xml, application/html, application/xhtml, application/x-asp, and application/x-aspx.
  7. Click Create to add the login page to the security policy. The new login page is added to the login pages list.
  8. Add as many login pages as needed for your web application.
  9. In the editing context area, click Apply Policy to put the changes into effect.
The security policy now has one or more login pages associated with it.
You can now configure how the login pages are enforced, including the authentication URLs, logout URLs, and whether or not the login pages have time limits.

Configuring brute force protection

You can add brute force protection to a security policy to prevent hackers from gaining access to a web application by performing multiple login attempts.
  1. On the Main tab, click Security > Application Security > Anomaly Detection > Brute Force Attack Prevention. The Brute Force Attack Prevention screen opens where you can specify the login URLs that you want to protect against brute force attacks.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click the Create button. The New Brute Force Protection Configuration screen opens.
  4. For the Login Page setting, select a previously created login page from the list (or create a new one). The login page specifies the URL that you want to protect against brute force attacks. If you need to create a login page in the security policy, click the Create button.
  5. For the IP Address Whitelist setting, add the IP addresses and subnets from which traffic is known to be safe.
    Important: The system adds any whitelist IP addresses to the centralized IP address exceptions list. The exceptions list is common to both brute force prevention and web scraping detection configurations.
  6. In the Session-based Brute Force Protection area, for the Login Attempts From The Same Client setting, type the number of times a user can attempt to log in before the system blocks the request. The default value is 5.
    Note: If you want the system to block brute force attacks, the Maximum login attempts are exceeded violation must be set to block. It is set to block by default. The enforcement mode must also be set to blocking.
  7. For Re-enable Login After, type the number of seconds the user must wait to attempt to log in after they have been blocked. The default value is 600 seconds.
  8. Above the Session-based Brute Force Protection area, click the Blocking Settings link to verify that the Maximum login attempts are exceeded violation is set to block, and the enforcement mode is set to blocking.
  9. In the Dynamic Brute Force Protection area, for Operation Mode, select how the system handles dynamic brute force attacks.
    Option Description
    Off The system does not check for brute force attacks.
    Alarm The system logs brute force attack data.
    Alarm and Block In addition to logging the attack data, the system drops requests from the offending IP address, or requests to attacked URLs, depending on your configuration.
  10. For the Detection Criteria setting, specify when to consider login attempts to be an attack.
    Option Description
    Minimum Failed Login Attempts Indicates an attack if, for all IP addresses tracked, the number of login attempts is equal to, or greater than, this number. This setting prevents false positive attack detection. The default value is 20 login attempts per second.
    Failed Logins Attempts increased by Indicates an attack if, for all IP addresses tracked, the ratio between the detection interval and the history interval is greater than this number. The default value is 500 %.
    Failed Login Attempts Rate reached The system considers unsuccessful login attempts to be an attack if, for all IP addresses tracked, the login attempt rate reaches this number. The default value is 100 login attempts per second.
    An attack occurs if one of the first two conditions is met, or if the Failed Login Attempts Rate reached number is met).
  11. For Suspicious Criteria (per IP address), specify how to identify a potential attacker’s IP address. If at least one of the criteria is met, the system treats the IP address as an attacker, and prevents the attacker from trying to guess the password. The system also limits the number of login attempts to the normal level.
    1. Type a number for Failed Login Attempts increased by criteria. An individual IP address is suspicious if the number of login attempts has increased by this percentage over the normal number of failed logins. The default setting is 500 percent.
    2. Type a number for Failed Login Attempts Rate reached. An individual IP address is suspicious if the number of login attempts per second from that IP address is equal to or greater than this number. The default setting is 20 login attempts per second.
    If either of these numbers is reached, the system limits the number of login attempts to the history interval.
  12. For the Prevention Policy setting, select one or more options to determine how you want the system to handle a brute force attack.
    Note: If you enable more than one option, the system uses the options in the order in which they are listed.
    Option Description
    Source IP-Based Client-Side Integrity Defense Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious IP addresses are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. The default is disabled.
    URL-Based Client-Side Integrity Defense Determines whether a client is a legal browser or an illegal script by injecting JavaScript into responses when suspicious URLs are requested. Legal browsers can process JavaScript and respond properly, whereas illegal scripts cannot. The default is disabled.
    Source IP-Based Rate Limiting Drops requests from suspicious IP addresses. The system limits the rate of requests to the average rate prior to the attack, or lower than the absolute threshold specified by the IP detection TPS reached setting. The default is enabled.
    URL-Based Rate Limiting Indicates that when the system detects a URL under attack, Application Security Manager drops connections to limit the rate of requests to the URL to the average rate prior to the attack. The default is enabled.
  13. For Prevention Duration, specify how long the system should mitigate brute force attacks.
    • To perform attack prevention until the end of the attack, select Unlimited .
    • To limit attack prevention to the amount of time configured here (even if the attack continues) or until the system detects the end of the attack, select Maximum and type the number of seconds to perform attack prevention.
  14. To add brute force protection to the security policy, click Create. The screen refreshes, and you see the protected login URL in the list.
  15. To put the security policy changes into effect immediately, click Apply Policy.

Viewing brute force attack reports

Before you can look at the brute force attack statistics, you need to have configured session-based or dynamic brute force protection.
You can display charts that show information about brute force attacks. The charts provide visibility into what applications are being attacked, the login URL, and start and end times of an attack.
  1. On the Main tab, click Security > Reporting > Application > Brute Force Attacks. The Brute Force Attacks reporting screen opens.
  2. From the Time Period list, select the time period for which you want to view information about brute force attacks.
  3. To focus in on the specific details you want more information about, point to the chart or click it. The system displays information about the item.
  4. If you want to export the report to a file or send it by email, click Export and select the options. To send reports by email, you need to specify an SMTP configuration (System > Configuration > Device > SMTP).
You can continue to review the details about brute force attacks on the report screen. As a result, you become more familiar with what caused the attacks and what applications are most vulnerable, and you see the mitigation methods that are in place.

Displaying brute force event logs

You can display event logs to see whether brute force attacks have occurred, and view information about the attacks.
  1. On the Main tab, click Security > Event Logs > Application > Brute Force Attacks. The Brute Force Attacks event log opens.
  2. If the log is long, use the Security Policy and/or Time Period settings to filter the list and show more specific entries.
  3. Review the list of brute force attacks to see which security policy detected the attack, which login URLs were attacked, and the start and end times of the attack.