HTTP Brute Force Mitigation Playbook: Slow Brute Force Protection Using Behavioural DOS - Chapter 6

Brute Force attack is where attacker tries to find the password of users quickly, there are times when attacker is not in hurry and do make his attack go under the radar, using very slow brute force attack. It can not be detected by detection criteria of Brute force protection feature of Advanced WAF/ASM reason being if you try to tweak the setting to catch slow brute force attack then its very hard for ASM/Advance WAF to distinguish between attack and legitimate user login atttempt. We may use other protection available in ASM/Advance WAF to protect from Slow brute force attack.

In this chapter to protect from Slow brute force attack we will use TLS signature generated by behavioural DOS.

But first: Benefits, Limitation and Requirement.

Benefits

• Benefit of using TLS fingerprint: Good and bad Clients can be differentiated based on SSL handshake.
• Once the Advance WAF/ASM is 100% confident user does not have to do anything to find out unusual/attack traffic pattern.
• This can be also used to protect mobile application as it does not use Javascript.

Limitations

• To get TLS fingerprinting signature using BADOS legitimate traffic should be learned by Advanced WAF/ASM
• On ASM, Behavioural DOS can be configured on max 2 virtual servers, where as on Advanced WAF, Although there is no license limitation of attaching DOS profile with BADOS enable to Virtual server but it is not recommended to configure more then 70 BADOS enabled Virtual server per box.

Requirements

• ASM/Advanced WAF license.
• Appropriate rights to access/make changes from GUI and command line.
• Some of the reporting is available only if AFM is provisioned in addition to the above mentioned modules. (If AFM is not provisioned you can still find the information using CLI)

Proactiveness

As a general rule, instead of waiting for attack and then take necessary action, We should always be proactive in defending attack.

Preparation for mitigating slow Brute force attack.

Slow brute force is very hard to detect, So most important thing to protect application from slow brute force attack is Advanced WAF/ASM should know the normal traffic.

For that we can use Behavioral & Stress-based (D)DoS Detection option under DoS Protection profile of Advance WAF/ASM.

For Configuring DoS Protection profile, to protect against slow brute force attack using TLS fingerprinting follow the below mentioned steps.

Important: For BIG-IP ASM/Advance WAF 14.1.0, you can access the TLS fingerprinting signatures configuration section only when you had previously selected Use Legacy Application Dos view in the HTTP Properties configuration pop-up.

1. Go to Security  ›› DOS Protection ›› Protection Profiles ››  click create.
2. Enter the profile name as per your requirement, select the family as HTTP and press Commit Changes to System
3. Click on newly shown HTTP and then click configure settings for HTTP Family settings.
4. Next click on Use Legacy Application DOS View
5. Go to Behavioral and stress-based detection under Application security.
6. Change operation mode to blocking and Threshold mode to automatic.
7. Under Behavioral Detection and Mitigation enable Request signature detection along with TLS fingerprinting signatures and Use approved signatures only (In case you don’t want to use unapproved signature).
8. Leave all the settings unchanged and click save and finished. (Make Sure Bad actors behavior detection is unchecked as we want to use TLS signature)
9. Select Mitigation to Standard or as per requirement from available options and then Click save
10. Next apply the newly created dos profile to the appropriate https virtual server.
11. Go to Local Traffic > Virtual Servers.
12. Select the name of the HTTPS virtual server.
13. Go to Security tab and select Policies.
14. For DoS Protection Profile, select Enabled.
15. For Profile, select the DoS profile created in above steps.
16. Select the Update button.
17. Let the normal traffic pass through the VS. This will allow ASM to learn the traffic.

How do we know ASM is ready and is 100% confident about the normal traffic?

1. Login to cli of BIGIP
2. Run command “admd -s vs./Common/<VSname>+/Common/<DOSprofilename.info.learning>”

For example admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning

1. You will see output as similar to the one mentioned below.

  vs./Common/BF-Test+/Common/Brute-Force-test.info.learning:[0, 0, 0, 0]

1. Once the traffic starts passing through vs these values will increase. Each value has its own meaning as described below.

A. baseline_learning_confidence:

• Description: in % how confident the system is in the baseline learning.
• Desired Value: > 90%

B. learned_bins_count:

• Description: number of learned bins
• Desired Value: > 0

C. good_table_size:

• Description: number of learned requests
• Desired Value: > 2000

D. good_table_confidence:

• Description: how confident, as %, the system is in the good table
• Desired Value: Must be 100 for signatures

You may run the command again if the Behavioral DoS is still learning Still learning

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning

Behavioural DOS feature is based on learning analysing all traffic to the web application, building baselines, and then identifying anomalies when server stress is detected. So its important to know when server is stress and how to check the server street level.

To find out the stress level Go to Security  ››  DoS Protection ››  Protected Objects (This option is only available if you have AFM Provisioned)

Find out the VS for which you would like to check the status and Click the arrow below Attack status. Once you click you will detailed informed is displayed on the screen, which includes Server Stress

To check the Server stress using CLI you may run below mentioned command.

admd -s vs./Common/<VSname>+/Common/<DOSprofilename.sig.health>

Server Stress value Range:

• If there is no traffic server value is 0.5
• If server functions properly value is between (0,1)
• Value higher then 1 is considered as load and mitigation may be applied

for example

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.sig.health

Once the output of below command shows appropriate values (as mentioned above) which tells ASM is confident, ASM is ready to differentiate between normal and attack traffic.

Below output shows ASM is 100% confident

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info.learning

Slow brute Force attack has been reported

To check the status of attack and Server stress level. Go to Security  ››  DoS Protection ›› Protected Objects  (This option is only available if you have AFM Provisioned)

Find out the VS for which you would like to check the status and Click the arrow below Attack status.

Once you click you will see detailed informed is displayed on the screen.

For example as show below Server Stress is 100 now.

If AFM is not provisioned you may run below mentioned command to check if the server is under stress.

admd -s vs./Common/<VSname>+/Common/<DOSprofilename.sig.health>

Server Stress value Range:

• If there is no traffic server value is 0.5
• If server functions properly value is between (0,1)
• Value higher then 1 is considered as load and mitigation may be applied

For example

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.sig.health

You may continue to monitor the output using command line or GUI to find out if attack has started.

To check if attack has started you may check using command line. If the value is 0,0 then there is no attack if the value is 1 VS is under attack

admd -s vs./Common/<VSname>+/Common/<DOSprofilename.info>

for example:

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info

Using the GUI Go to Security  ››  DoS Protection : Protected Objects

Note: (To get this view AFM should be provisioned )

If you continue to monitor you may notice that BADOs has started generating signature. But accuracy in start will not be 100% and it may take some time to become 100% accurate.

Using CLI

admd -s vs./Common/BF-PHP+/Common/ASM-TLS-Fingerprinting.info

Using GUI Security  ››  DoS Protection ›› Protected Objects (This option is only available if you have AFM Provisioned)

If the Dynamic Signature status is unready the signature is not ready and does not have 100% accuracy.

Note: (To get this view AFM should be provisioned, If AFM is not provisioned you may continue monitor using CLI )

Once signature is ready Dynamic signature status will change as shown below.

Note: (To get this view AFM should be provisioned, If AFM is not provisioned you may continue monitor using CLI )

Once the signature’s accuracy is 100%, It will be available under Security  ››  DoS Protection : Signatures >> Dynamic. As shown below.

You may notice in above screenshot that Accuracy of signature is 100% where as approval status is Unapproved, If you want to use only approved signature (which we have used in this case) you need to click the check box infront of the signature, as soon as you will enable check box a window on right side will pop up and you may enable check box in-front of Approved and then press update to manually approve the signature.

Note: User approved signatures only under Behavioral & Stress-based (D)DoS Detection in the DOS profile should be enable.

Once you approve the signature, Signature approval state will change to manually approved as shown below

You may also check DOS logs by checking Security  ››  Event Logs ›› DoS ›› Application Events

Another Graphical view option for DOS can be checked by going to Security  ››  Reporting : DoS : Dashboard

If you want to check a specific attack ID then please on right side under Attack IDs find the attack ID and click on it. As soon as you will click on it page will show the data related to specific attack ID as shown below.

 

 

As shown above during attack, TLS signature generate by Behavioural DOS is mitigating the attack and normal requests are still passing through using Behavioural attack signature.

Note: 

By default, when the system identifies signature pattern anomalies, it silently drops the connection. You can change the mitigation mode and force the system to send a reset (RST) when the traffic matches a signature pattern. To change the mitigation mode from drop to reset, perform the following steps:

1. Log in to tmsh by typing the following command:

tmsh

2. To change the mitigation mode to reset, type the following command:

modify sys db adm.mitigation.accelerated.signatures.drop.mode value reset

Note: If you want to generate HTTP signature using BADOS instead of TLS signature in DOS protection profile you can select accelerated signature and rest of the steps will remain same.