SlideShare ist ein Scribd-Unternehmen logo
1 von 52
Downloaden Sie, um offline zu lesen
F5 mitigations series
by
https://twitter.com/rotkovitch
•
•
•
•
•
•
• F5SIRT@f5.com
• https://f5.com/support/security-incident-response-team-sirt
F5 Security Incident Response Team (F5 SIRT)
1.
•
•
2.
•
•
3.
1.
2.
3.
4.
5.
1
2
3
4
5
Advance WAF bot mitigations V13.1
•
1. By source IP
2.
3.
4.
5.
•
1.
2.
3.
i.
ii.
Hacktivism
Google Web Bot
Unidentified User
User
Source IP‘s
Users Or Bots
Web Bot
Source IP’s
IP:X.X.X.X
Servers Database
Web Site
IP:X.Y.Z.A
IP:A.B.C.D
ASM measures requests increase from Source IP’s
1.Detection
2. Prevention policy
Ratio
Fix
Detection
Prevention policy
Ratio
Memory :
Long (History Interval): 50 TPS
Short (Current Interval): 370 TPS
TPS increased by: ((370 - 50) /50)*100 = 640%
640% > 500% = True
Safety belt to prevent
false positives
Detection
Prevention policy
Fix
•
1.
2. By Device ID
3.
4.
5.
•
1.
2.
3.
i.
ii.
Unidentified User
User
Users Or Bots
Web Bot
IP:X.X.X.X
Servers Database
Web Site
• Measuring requests increase on a Device ID’s
ASM: fingerprint source
and give the Device ID’s
ID:LK142
ID:LQ87A
ID:N/A
Detection
Prevention policy
Ratio
Fix
•
1.
2.
3. By geolocation
4.
5.
•
1.
2.
3.
i.
ii.
Measuring requests increase from a specific country
Hacktivism
Google Web Bot
Unidentified User
User
Source IP‘s
Users Or Bots
Web Bot
Servers Database
Web Site
Detection
Prevention policy
Ratio
•
1.
2.
3.
4. By URL
5.
•
1.
2.
3.
i.
ii.
App URL’s &
objects
http://site.com/sell.php
http://site.com/style.css
http://site.com/login.php
• Measuring requests increase on a URL
Hacktivism
Google Web Bot
Unidentified User
User
Source IP‘s
Users Or Bots
Web Bot
Servers Database
Web Site
Detection
Prevention policy
Ratio
Fix
•
1.
2.
3.
4.
5. By site wide
•
1.
2.
3.
i.
ii.
Source IP’s
Hacktivism
Google Web Bot
Unidentified User
User
Source IP‘s
Users Or Bots
Web Bot
Servers Database
Web Site
App URL’s &
objects
• Measuring requests increase on both IP’s and URL’s
Detection
Prevention policy
Ratio
Fix
•
1.
2.
3.
4.
5.
•
1. Client side integrity defense (CSID)
2.
3.
i.
ii.
User
Client: Hey server, can I get the web page ?
ASM: first show me that you are a browser ?
if a browser:
Yes, I’m a browser
If a bot:
*^lkjdfg@#$
ASM: ok, you are allowed. Here is the
web page you asked for.
ASM: Bye Bye – Blocked
Server
Web Bot
Client Side Integrity Defense - Flow
User Browser DoS Profile App
First main page access
HTTP Request (no cookie)
Computational challenge
Solve challenge/
set cookie with time stamp
HTTP Request (cookie) Reconstruct request
Original HTTP Request
HTTP Response (main page)
HTTP Response (main page)
More object requests (cookie)
Validate cookie: format & time stamp
More object requests
More responses
More responsesDeliver page
Valid source:
• The client support JavaScript
• The client support HTTP cookies
• The client calculate a JS challenge
Not valid:
• Didn’t pass the above
• Cookie is wrong format – Block (RST)
• Time stamp expired – Block (RST)
Send JS test
•
•
•
•
•
•
•
•
1.
2.
3.
4.
5.
•
1.
2. CAPTCHA
3.
i.
ii.
User
Web Bot
Client: Hey server, can I get the web page ?
ASM: no, first answer a CAPTCHA
challenge and show me your human !If a user:
OK, I answered
If none user:
Ha ? *^lkjdfg@#$
ASM: ok, you are allowed. Here is the
web page you asked for.
ASM: Bye Bye – Block him dude !
Server
User Browser DoS Profile App
Request login.php
GET / mypage.php (no cookie)
CAPTCHA HTML +JS response
Cookie with time stamp
Solve CAPTCHA
CAPTCHA rendered
Submit CAPTCHA
solution
GET /mypage.php + CAPTCHA
cookie
Verify CAPTCHA solution
Validate cookie
GET /mypage.php
HTML of mypage.php
HTML of mypage.php
mypage.php
rendered
Send
CAPTCHA
• While the system is still in a
state of attack the offending
source will be presented with
another CAPTCHA every 5
min.
• Same as CSID, request is
held at the ASM until
CAPTCHA is solved
Ultimate solution for identifying human or bot
Send challenge to every IP that reached IP detection criteria thresholds
Note: Some argues that CAPTCAH is not a good usability…
But it works well !
•
1.
2.
3.
4.
5.
•
1.
2.
3. Request blocking
i. Rate limit
ii. Request block
Client: Hey server, can I get the web page ?
ASM: (a) no, I’m limiting your requests sending rate
Server
Just 1 request per minute ?
ASM: (b) no, I’m totally blocking your
While CSID and CAPTCHA try to understand who is the offending source (bots or human)
request limiting is indifferent to the “identity” and limits / blocks the offending sources.
Request Blocking:
•Blocking: will block all IP’s from the offending source
•Rate Limit: limit the amount of allowed request from the offending source
Simple Bots
Impersonating Bots
Full browser Bots
Client Capabilities
CAPTCHA Challenge
CSID
Bot Signatures
ASM Signatures
CAPTCHA Challenge
ASM: yes, I have your signature.
Sorry mate you are blocked.
I’m a simple Bot
Simple bot can be any command line tool such as:
curl , wget , ab
Server
Advance WAF bot mitigations V13.1
Benign categories
Disable specific
bot signatures
Security ›› Options ›› DoS Protection ›› Bot Signatures Lis
•
•
•
•
•
•
Gohogle
I’m a google Bot
ha ha ha
ASM: let’s see if you are. I’m doing
Reverse DNS lookup.
DNS Server
Gohogle
Bummer
ASM: you are not google bot
Bye Bye -> block this creature !
ASM: Hey DNS, who’s this guy ?
DNS: no one important
Server
DNS Server
Googlebot/2.1 (+http://www.google.com/bot.html)
Google
I’m a google Bot
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
I’m a Bot that
simulate a browser
ASM: ok, what are your capability ? If you will not
answer right you will have to answer a CAPTCHA
or / and be blocked
You are not human, byyyye -> block this unhuman !
Bummer
Capability ?
CAPTCHA ?
Server
Advance WAF bot mitigations V13.1
• If Block Suspicious Browsers is unchecked  send CS Challenge
• If Block Suspicious Browsers is checked and CAPTCHA is checked  send Client Capabilities
challenge and give it a score: If score in doubt send a CAPTCHA for human verification
• If Block Suspicious Browsers is checked but CAPTCHA Challenge is unchecked  do not
send CAPTCHA and only block if the score is more than a human
User Browser DoS Profile App
First request GET /sell.php
GET /sell.php (no cookie)
Client Capabilities Challenge response
Return Client Capabilities
verification
Reconstruct request
HTTP Response (cookie)
HTTP Response
GET /img.png (cookie)
Blank page & Set cookie
Original HTTP Request + cookie
Authenticate and decrypted JS results,
Compute browser score based on result
Determine an action based on score
GET /img.png (cookie)
Validate cookie:
format & time stamp
Capabilities script
Evaluating request
0 – 59 – browser
60 – 99 – Unknown
100 – Bot
• If the score is from 0 to 59 it is assumed to be a browser and the request can pass through.
• If the score is between 60 to 99 it is declared unknown and a CAPTCHA is sent to unknown sources. If
the CAPTCHA challenge is solved the client is allowed in. A failed CAPTCHA challenge results in a
connection reset.
• If the score is 100 then the request is reset
The characteristics by which the score is
set are F5 internal intellectual property,
but in general a browser should own
certain features that are expected from a
browser. Missing headers, obsolete User
Agents, or badly formed URLs are a few
indicators of bot activity.
•
•
•
•
Passed Browser Challenge Allow
Passed CAPTCHA Challenge Allow
Passed Redirect Challenge Allow
Expired Browser Challenge Browser Challenge
Failed Browser Challenge TCP RST
Bad Response to CAPTCHA: Incorrect or missing response CAPTCHA Challenge
Security ›› Event Logs ›› Bot Defense ›› Request
Advance WAF bot mitigations V13.1
# EXAMPLE: enable client-side challenges on a specific URL
when BOTDEFENSE_REQUEST {
if {[HTTP::uri] eq "/login.php"} {
BOTDEFENSE::cs_allowed true
}
}
https://devcentral.f5.com/wiki/iRules.BOTDEFENSE.ashx
# EXAMPLE: allow CSID actions on URLs with the .html extension
when BOTDEFENSE_REQUEST {
if {[HTTP::uri] ends_with ".html"} {
BOTDEFENSE::cs_allowed true
}
}
Advance WAF bot mitigations V13.1

Más contenido relacionado

Was ist angesagt?

腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站areyouok
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIStormpath
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
High Performance Websites By Souders Steve
High Performance Websites By Souders SteveHigh Performance Websites By Souders Steve
High Performance Websites By Souders Stevew3guru
 
High Performance Web Sites
High Performance Web SitesHigh Performance Web Sites
High Performance Web SitesPáris Neto
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationJonathan Cran
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5usnyff
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Applying Security Controls on REST APIs
Applying Security Controls on REST APIsApplying Security Controls on REST APIs
Applying Security Controls on REST APIsErick Belluci Tedeschi
 

Was ist angesagt? (20)

腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站腾讯大讲堂09 如何建设高性能网站
腾讯大讲堂09 如何建设高性能网站
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
I See You
I See YouI See You
I See You
 
Build a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON APIBuild a Node.js Client for Your REST+JSON API
Build a Node.js Client for Your REST+JSON API
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
High Performance Websites By Souders Steve
High Performance Websites By Souders SteveHigh Performance Websites By Souders Steve
High Performance Websites By Souders Steve
 
High Performance Web Sites
High Performance Web SitesHigh Performance Web Sites
High Performance Web Sites
 
Plop
PlopPlop
Plop
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment Automation
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Brute force
Brute forceBrute force
Brute force
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
gofortution
gofortutiongofortution
gofortution
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
JWT: jku x5u
JWT: jku x5uJWT: jku x5u
JWT: jku x5u
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Applying Security Controls on REST APIs
Applying Security Controls on REST APIsApplying Security Controls on REST APIs
Applying Security Controls on REST APIs
 

Ähnlich wie Advance WAF bot mitigations V13.1

Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.pptssuserec53e73
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground UpMichael Bleigh
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Web前端性能优化 2014
Web前端性能优化 2014Web前端性能优化 2014
Web前端性能优化 2014Yubei Li
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008ClubHack
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchLior Rotkovitch
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Amazon Web Services
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...Semrush
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra,  API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra,  API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebCliff Smith
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 

Ähnlich wie Advance WAF bot mitigations V13.1 (20)

Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt15-auth-session-mgmt.ppt
15-auth-session-mgmt.ppt
 
OmniAuth: From the Ground Up
OmniAuth: From the Ground UpOmniAuth: From the Ground Up
OmniAuth: From the Ground Up
 
Account entrapment
Account entrapmentAccount entrapment
Account entrapment
 
Account Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s AccountAccount Entrapment - Forcing a Victim into an Attacker’s Account
Account Entrapment - Forcing a Victim into an Attacker’s Account
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Web前端性能优化 2014
Web前端性能优化 2014Web前端性能优化 2014
Web前端性能优化 2014
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
Jamie Alberico — How to Leverage Insights from Your Site’s Server Logs | 5 Ho...
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra,  API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra,  API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern Web
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 

Mehr von Lior Rotkovitch

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfLior Rotkovitch
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...Lior Rotkovitch
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfLior Rotkovitch
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...Lior Rotkovitch
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfLior Rotkovitch
 
The WAF book (Web App Firewall )
The WAF book  (Web App Firewall )The WAF book  (Web App Firewall )
The WAF book (Web App Firewall )Lior Rotkovitch
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchLior Rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineLior Rotkovitch
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12Lior Rotkovitch
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitchLior Rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support   lior rotkovitchWeb Socket ASM support   lior rotkovitch
Web Socket ASM support lior rotkovitchLior Rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט  Wbt - Web based training הדרכה מבוססת אינטרנט  Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training Lior Rotkovitch
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתLior Rotkovitch
 

Mehr von Lior Rotkovitch (13)

Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
HTTP Brute Force Mitigation Playbook Bot Profile for Brute Force Mitigations ...
 
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdfBots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
Bots mitigations overview with Advance WAF - Anti ... - DevCentral.pdf
 
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
The 1B Data Leak, TrickBot Gang Shift and Cyber Espionage - F5 SIRT This Week...
 
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdfA Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
A Day in the Life of a Security Engineer from Tel Aviv- clean.pdf
 
The WAF book (Web App Firewall )
The WAF book  (Web App Firewall )The WAF book  (Web App Firewall )
The WAF book (Web App Firewall )
 
The WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitchThe WAF book intro protection elements v1.0 lior rotkovitch
The WAF book intro protection elements v1.0 lior rotkovitch
 
Bots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engineBots mitigations overview with advance waf anti bot engine
Bots mitigations overview with advance waf anti bot engine
 
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12Lior rotkovitch   ASM WAF  unified learning – building policy with asm v12
Lior rotkovitch ASM WAF unified learning – building policy with asm v12
 
Html cors- lior rotkovitch
Html cors- lior rotkovitchHtml cors- lior rotkovitch
Html cors- lior rotkovitch
 
Web Socket ASM support lior rotkovitch
Web Socket ASM support   lior rotkovitchWeb Socket ASM support   lior rotkovitch
Web Socket ASM support lior rotkovitch
 
הדרכה מבוססת אינטרנט Wbt - Web based training
הדרכה מבוססת אינטרנט  Wbt - Web based training הדרכה מבוססת אינטרנט  Wbt - Web based training
הדרכה מבוססת אינטרנט Wbt - Web based training
 
פיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבתפיתוח הדרכה מתוקשבת
פיתוח הדרכה מתוקשבת
 

Último

From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 

Último (20)

From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 

Advance WAF bot mitigations V13.1

  • 6. • 1. By source IP 2. 3. 4. 5. • 1. 2. 3. i. ii.
  • 7. Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Source IP’s IP:X.X.X.X Servers Database Web Site IP:X.Y.Z.A IP:A.B.C.D ASM measures requests increase from Source IP’s
  • 9. Detection Prevention policy Ratio Memory : Long (History Interval): 50 TPS Short (Current Interval): 370 TPS TPS increased by: ((370 - 50) /50)*100 = 640% 640% > 500% = True Safety belt to prevent false positives
  • 11. • 1. 2. By Device ID 3. 4. 5. • 1. 2. 3. i. ii.
  • 12. Unidentified User User Users Or Bots Web Bot IP:X.X.X.X Servers Database Web Site • Measuring requests increase on a Device ID’s ASM: fingerprint source and give the Device ID’s ID:LK142 ID:LQ87A ID:N/A
  • 15. Measuring requests increase from a specific country Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site
  • 18. App URL’s & objects http://site.com/sell.php http://site.com/style.css http://site.com/login.php • Measuring requests increase on a URL Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site
  • 20. • 1. 2. 3. 4. 5. By site wide • 1. 2. 3. i. ii.
  • 21. Source IP’s Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site App URL’s & objects • Measuring requests increase on both IP’s and URL’s
  • 23. • 1. 2. 3. 4. 5. • 1. Client side integrity defense (CSID) 2. 3. i. ii.
  • 24. User Client: Hey server, can I get the web page ? ASM: first show me that you are a browser ? if a browser: Yes, I’m a browser If a bot: *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Blocked Server Web Bot
  • 25. Client Side Integrity Defense - Flow User Browser DoS Profile App First main page access HTTP Request (no cookie) Computational challenge Solve challenge/ set cookie with time stamp HTTP Request (cookie) Reconstruct request Original HTTP Request HTTP Response (main page) HTTP Response (main page) More object requests (cookie) Validate cookie: format & time stamp More object requests More responses More responsesDeliver page Valid source: • The client support JavaScript • The client support HTTP cookies • The client calculate a JS challenge Not valid: • Didn’t pass the above • Cookie is wrong format – Block (RST) • Time stamp expired – Block (RST) Send JS test
  • 28. User Web Bot Client: Hey server, can I get the web page ? ASM: no, first answer a CAPTCHA challenge and show me your human !If a user: OK, I answered If none user: Ha ? *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Block him dude ! Server
  • 29. User Browser DoS Profile App Request login.php GET / mypage.php (no cookie) CAPTCHA HTML +JS response Cookie with time stamp Solve CAPTCHA CAPTCHA rendered Submit CAPTCHA solution GET /mypage.php + CAPTCHA cookie Verify CAPTCHA solution Validate cookie GET /mypage.php HTML of mypage.php HTML of mypage.php mypage.php rendered Send CAPTCHA • While the system is still in a state of attack the offending source will be presented with another CAPTCHA every 5 min. • Same as CSID, request is held at the ASM until CAPTCHA is solved
  • 30. Ultimate solution for identifying human or bot Send challenge to every IP that reached IP detection criteria thresholds Note: Some argues that CAPTCAH is not a good usability… But it works well !
  • 32. Client: Hey server, can I get the web page ? ASM: (a) no, I’m limiting your requests sending rate Server Just 1 request per minute ? ASM: (b) no, I’m totally blocking your
  • 33. While CSID and CAPTCHA try to understand who is the offending source (bots or human) request limiting is indifferent to the “identity” and limits / blocks the offending sources. Request Blocking: •Blocking: will block all IP’s from the offending source •Rate Limit: limit the amount of allowed request from the offending source
  • 34. Simple Bots Impersonating Bots Full browser Bots Client Capabilities CAPTCHA Challenge CSID Bot Signatures ASM Signatures CAPTCHA Challenge
  • 35. ASM: yes, I have your signature. Sorry mate you are blocked. I’m a simple Bot Simple bot can be any command line tool such as: curl , wget , ab Server
  • 38. Security ›› Options ›› DoS Protection ›› Bot Signatures Lis
  • 40. Gohogle I’m a google Bot ha ha ha ASM: let’s see if you are. I’m doing Reverse DNS lookup. DNS Server Gohogle Bummer ASM: you are not google bot Bye Bye -> block this creature ! ASM: Hey DNS, who’s this guy ? DNS: no one important Server DNS Server Googlebot/2.1 (+http://www.google.com/bot.html) Google I’m a google Bot
  • 43. I’m a Bot that simulate a browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA or / and be blocked You are not human, byyyye -> block this unhuman ! Bummer Capability ? CAPTCHA ? Server
  • 45. • If Block Suspicious Browsers is unchecked  send CS Challenge • If Block Suspicious Browsers is checked and CAPTCHA is checked  send Client Capabilities challenge and give it a score: If score in doubt send a CAPTCHA for human verification • If Block Suspicious Browsers is checked but CAPTCHA Challenge is unchecked  do not send CAPTCHA and only block if the score is more than a human
  • 46. User Browser DoS Profile App First request GET /sell.php GET /sell.php (no cookie) Client Capabilities Challenge response Return Client Capabilities verification Reconstruct request HTTP Response (cookie) HTTP Response GET /img.png (cookie) Blank page & Set cookie Original HTTP Request + cookie Authenticate and decrypted JS results, Compute browser score based on result Determine an action based on score GET /img.png (cookie) Validate cookie: format & time stamp
  • 47. Capabilities script Evaluating request 0 – 59 – browser 60 – 99 – Unknown 100 – Bot • If the score is from 0 to 59 it is assumed to be a browser and the request can pass through. • If the score is between 60 to 99 it is declared unknown and a CAPTCHA is sent to unknown sources. If the CAPTCHA challenge is solved the client is allowed in. A failed CAPTCHA challenge results in a connection reset. • If the score is 100 then the request is reset The characteristics by which the score is set are F5 internal intellectual property, but in general a browser should own certain features that are expected from a browser. Missing headers, obsolete User Agents, or badly formed URLs are a few indicators of bot activity.
  • 49. Passed Browser Challenge Allow Passed CAPTCHA Challenge Allow Passed Redirect Challenge Allow Expired Browser Challenge Browser Challenge Failed Browser Challenge TCP RST Bad Response to CAPTCHA: Incorrect or missing response CAPTCHA Challenge Security ›› Event Logs ›› Bot Defense ›› Request
  • 51. # EXAMPLE: enable client-side challenges on a specific URL when BOTDEFENSE_REQUEST { if {[HTTP::uri] eq "/login.php"} { BOTDEFENSE::cs_allowed true } } https://devcentral.f5.com/wiki/iRules.BOTDEFENSE.ashx # EXAMPLE: allow CSID actions on URLs with the .html extension when BOTDEFENSE_REQUEST { if {[HTTP::uri] ends_with ".html"} { BOTDEFENSE::cs_allowed true } }

Hinweis der Redaktion

  1. This training is provided by the F5 Security Incident Response Team (SIRT) Creator – Lior Rotkovitch https://twitter.com/Rotkovitch Please E-mail any security related inquiries to <CLICK> f5sirt@f5.com
  2. ASM dos profile includes five major mitigations. – v13.x Each of the mitigations options has a different approach to identify the ddos attack Anomaly (TPS based) – identify RPS increase at the source OR destination prevention policy on it Anomaly Behavioral (stress based) - identify TSP anomaly (typically increase) at the source OR destination prevention policy on it Anti bot – classify the attack agent as a valid user using a browser OR a bot and apply prevention policy on it Source IP reputation – decide if the traffic is arriving from IP with bad reputation and block it Signature – identify a pattern of the exploit or the attack agent in the payload and apply prevention policy on it
  3. The second section in the bot defense is the benign categories that includes bot signatures that are welcome on the web site however they can also be blocked if needed. Benign bot signatures can also be configured to none, report or block. The final section in the bot signature page is the bot signature list where a specific signature can be disabled and excluded from the configured action.
  4. For any question or feedback please send an email to lior@f5.com or the f5sirt@f5.com https://twitter.com/Rotkovitch