Forum Discussion
Hello Aaron.
Have you enabled the clientside integrity defense checks in your prevention policy? These options do not perform rate limiting but only turns away non-browsers or bots.
Prevention policy methods do not engage simultaneously but in order as long as the attack continues. This could be why it is taking longer to reach the rate limiting options.
You could try removing the integrity check options and if this does not provide the consistency you are looking for please let us know the settings you are using.
- Aaron_Chandra_3May 05, 2017Nimbostratus
Hello Taunan,
Thanks for replyin.. I didnt enable the integrity defense options and what it have is "source-ip based" and "Url-based" rate limiting... the problem is when it started applying mitigation, it always doin "URL-based" as the top priority, but i thought it will do "source ip based" bcz thats the order.. also most of the time it did detects the attacks and capture in the bruteforce attack log & the log says prevention policy applied:--> "URL based mitigation" but no connection is dropped out /no ip's is in the ip list as well. The version am using is 11.6. dynamic Settings as below
Traffic Detection Criteria Minimum Failed login attempts5Per second Failed login Attempts Increased by500Per second Failed login attempt reached6Per second
suspicious Criteria (Per ip address) Failed Login attempts increased by500 Failed Login attempt rate reached1Per second
Prevention Policy Source Ip-based Rate LimitingTicked URL-based rate limitingTicked
Prevention Duration Unlimited
- natheMay 05, 2017Cirrocumulus
Just to add, it will use the Source IP Based Rate Limiting if the attack meets the Suspicious Criteria (per IP address) thresholds, not the Detection Criteria above, this would trigger the URL based rate limiting...as far as i understand.
So, are you seeing attacks from multiple IP addresses?
- Aaron_Chandra_3May 07, 2017Nimbostratus
yes, its from multiple ip addresses..
- natheMay 08, 2017Cirrocumulus
so you may not see Source IP mitigations occur, for the reason i stated above. there is a large piece of secret sauce with brute force so might i suggest opening a case with f5 as well?