Applies To:
Show VersionsBIG-IP ASM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
About mitigation of brute force attacks
Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, user name/password combinations to discover legitimate authentication credentials.
To prevent brute force attacks, the Application Security Manager tracks the number of failed attempts to reach the configured login URL. The system saves the information in two intervals:
- History interval
- Specifies the number of failed login attempts for the past hour (updated every minute).
- Detection interval
- Specifies the number of failed login attempts for the past minute (updated every second).
You can configure both session-based and dynamic brute force protection.
- Session-based mitigation
- Counts the number of failed login attempts that occur during one session, based on a session cookie. When the number of login attempts during a session exceeds the number specified, the system triggers the Brute Force: Maximum login attempts are exceeded violation, and applies the blocking policy. If the violation is set to block and too many login attempts are made, the client is blocked for a number of seconds.
- Dynamic mitigation
- Detects and mitigates brute force attacks based on statistical analysis of the traffic. You configure dynamic mitigation to determine when the system should consider the login URL to be under attack, and how to react to an attack. The system mitigates attacks when the volume of unsuccessful login attempts is significantly greater than the typical number of failed logins. You activate this method by setting the operation mode to either alarm or alarm and block.
Overview: Mitigating brute force attacks
You can configure the Application Security Manager to protect against brute force attacks. The system detects brute force attacks based on failed login rates. Therefore, you need to create login pages for the web applications you want to protect.