ASM- Brute Force Mitigation Dynamic

Question

Hi,&nbsp;
I have a situation here, the dynamic brute force mitigation we set (after a lot of trial and error) detects the login failures however the prevention policy it is applying is not constant. lets say the attack continously happening for 4 hours, i can see from the Brute force logs, entry been created every minute with "average historical failed login=12" and "Detected failed logins=12", "Mitigation= URL based" but actually i dont see any ip's or rejected connections.. but after an hour or sometime for the same values it applied URL-Based mitigation, dropped the ip's for sometime to bring back the URL to normal usage. is there any way i can fix this prevention policy to be constant instead of on/off.. any fixed numbers i can try? any suggestion?&nbsp;

taunan_89710 · Answer

Hello Aaron.&nbsp;
Have you enabled the clientside integrity defense checks in your prevention policy?  These options do not perform rate limiting but only turns away non-browsers or bots.&nbsp;
Prevention policy methods do not engage simultaneously but in order as long as the attack continues.  This could be why it is taking longer to reach the rate limiting options.&nbsp;
You could try removing the integrity check options and if this does not provide the consistency you are looking for please let us know the settings you are using.&nbsp;

aaron_chandra_3 · Answer

Hello Taunan, &nbsp;
Thanks for replyin.. I didnt enable the integrity defense options and what it have is "source-ip based" and "Url-based" rate limiting... the problem is when it started applying mitigation, it always doin "URL-based" as the top priority, but i thought it will do "source ip based" bcz thats the order.. also most of the time it did detects the attacks and capture in the bruteforce attack log &amp; the log says prevention policy applied:--&gt; "URL based mitigation" but no connection is dropped out /no ip's is in the ip list as well. The version am using is 11.6.  dynamic Settings as below&nbsp;
Traffic Detection Criteria
Minimum Failed login attempts5Per second
Failed login Attempts Increased by500Per second
Failed login attempt reached6Per second&nbsp;
suspicious Criteria (Per ip address)
Failed Login attempts increased by500
Failed Login attempt rate reached1Per second&nbsp;
Prevention Policy
Source Ip-based Rate LimitingTicked
URL-based rate limitingTicked&nbsp;
Prevention Duration   Unlimited&nbsp;

nathe · Answer

Just to add, it will use the Source IP Based Rate Limiting if the attack meets the Suspicious Criteria (per IP address) thresholds, not the Detection Criteria above, this would trigger the URL based rate limiting...as far as i understand.&nbsp;
So, are you seeing attacks from multiple IP addresses?&nbsp;

aaron_chandra_3 · Answer

yes, its from multiple ip addresses.. &nbsp;

nathe · Answer

so you may not see Source IP mitigations occur, for the reason i stated above. there is a large piece of secret sauce with brute force so might i suggest opening a case with f5 as well?&nbsp;

Forum Discussion

ASM- Brute Force Mitigation Dynamic

5 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Related Content

HTTP Brute Force Mitigation Playbook: Bot Profile for Brute Force Mitigations - Chapter 5

HTTP Brute Force Mitigation Playbook: BIG-IP LTM Mitigation Options for HTTP Brute Force Attacks - Chapter 3

HTTP Brute Force Mitigation Playbook: Overview - Chapter 1

HTTP Brute Force Mitigation Playbook: Appendix

HTTP Brute Force Mitigation Playbook: Slow Brute Force Protection Using Behavioural DOS - Chapter 6