Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jul 05, 2018

ASM 13.1.0.x Brute Force - how to configure?

Hi,

 

I am not sure when this protection changed but for sure it is quite different in version 13.1.0.8. There is plenty of new settings there - problem is I can't figure out how to set it up for best protection.

 

When only Username is set then only protection is CAPTCHA - you can attempt to guess password as many times as you wish (if you resolve CAPTCHA) - explanation is to protect user from being locked out when his account is under attack - so far so good.

 

There is one issue here - Your support ID. It's shown each time CAPTCHA is displayed but there is no matching entry in Even Log (All request and responses logged). Even when requests are reported as Illegal (but of course not blocked) Support ID in such request do not match one displayed to user - so what is purpose for displaying Support ID below CAPTCHA?

 

If no other setting will be configured (Device ID, IP) then attacker can repeat attack forever - or until security will notice it and block given user name.

 

Only way to actually block login attempt is to configure either Device ID or IP Address failed logins setting.

 

But if any of above will be configured to Alarm and Blocking page (or Drop) then real user that made mistake will be blocked as well - so not being able to block on username is a bit artificial here.

 

Now there is a question how to unlock such blocked IP? I can't see any way.

 

Another issue I noticed is that for some reason (even if Device ID Tracking is enabled in Session Tracking) no Device ID is reported - is there some minimal number of request necessary to identify given device?

 

I wonder what is good mix of settings there to:

 

  • Actually do not block real user that forgot password from being locked out
  • Do not allow malicious user to continue guessing forever (if he can afford CAPTCHA solving solution)

Only way to block login after given number of resolved CAPTCHA and failed attempts is to set CAPTCHA Bypass Mitigation - but it only works for IP Address and Device ID not Username.

 

Assuming that real user will rather try to login from the same IP Address and/or Device ID then in the end real user will be locked out. Then again there should be some way to unlock - and I can't see it.

 

If attack is distributed (different IPs and Device ID) then not being able to block based on Username looks to me as week spot.

 

Attacker can limit number of attempts per IP to a small number and bypass protection. Based on default settings it is possible to perform up to 9 (4th attempt trigger CAPTCHA, then 5 attempts after solving CAPTCHA) attempts per IP without being locked out.

 

New settings are for sure more powerful but it is not so easy to figure out relations between them and create optimal combination.

 

Piotr

 

No RepliesBe the first to reply