Forum Discussion

Piotr_Bratkowsk's avatar
Piotr_Bratkowsk
Icon for Nimbostratus rankNimbostratus
Aug 09, 2013

ASM & Hydra verification request

Hi,

 

We have PoC at one of ours client and I was preparing labs with PHPAuction, ASM and Hyrda. Lab was aimed to show that automated (with Hydra) brute force attack on login page (user_login.php) can be stoped with ASM.

 

But it turned out it is not working. When I manually try to brute force (with log setting so it's feasiable) it's working like a charm. But as I see in my log Hydra is using new session identifier with every request, so

 

Session-based Brute Force Protection is not catching it. I was able to performe 3500 guesses in 10 seconds.

 

 

Isn't that subject for feature request, to allow building bruteforce protection based on source IP?

 

 

Could someone verified if it's not configuration fault?

 

 

Regards,

 

Piotr Bratkowski

 

APM
app sec
security

1 Reply

Sort By
  • ltwagnon's avatar
    ltwagnon
    Ret. Employee
    Sep 20, 2013

    Have you tried the session based anomaly detection? If you generated 3500 new sessions in 10 seconds, you should be able to configure the ASM to detect an abnormal number of new sessions in a given time period and block based on those settings. Here's a link to an article I wrote on session and transaction based anomaly detection/mitigation: https://devcentral.f5.com/articles/these-are-not-the-scrapes-youre-looking-for-session-anomalies.UjxueLEo7IU

     

    Essentially what happens is that the ASM detects the number of sessions opened per second and, if too many sessions are opened, it starts blocking requests.

     

    I hope this helps! John