WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
•Als PPTX, PDF herunterladen•
1 gefällt mir•475 views
WAF ASM / Advance WAF F5 WAF Brute force mitigation options Anomaly – identify the criteria that fail too many times and apply prevention policy on it Anti bot – identify the attack agent as bot and apply prevention policy on it Source IP – identify the attack agent origin from which the attack is originating and apply prevention policy on it Signature – identify a pattern of the exploit or the attack agent in the payload and apply prevention policy on it
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
Ähnlich wie WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean (20)
Mehr von Lior Rotkovitch
Mehr von Lior Rotkovitch (14)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
- 2. • Get security assistance when you are under attack ! • • • • • • F5SIRT@f5.com • https://f5.com/support/security-incident-response-team-sirt F5 Security Incident Response Team (F5 SIRT)
- 4. • “ In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.” I brute forced it
- 8. • • • •
- 9. Logging profile: • Log illegal request – can also be log all request but consider performance before • Enable application security • Verify that “login results” is checked - this will help us to verify that the login fail / success criteria is working ok. Note that this is not on by default. • Optional – enable bot defense logging
- 10. • 1. 2. 3. 4.
- 11. a. b. c. d.
- 14. HTML form – view source
- 16. • • • • •
- 17. • • • • • • • • • Post login *For post login string in the response – make sure there is no similar word in the response or false positive will hit you
- 18. • • • • • • • •
- 20. • • • •
- 21. • • •
- 22. • • • 1. 2.
- 23. • • • • •
- 24. Hacktivism Unidentified UserUser Coffee shop BF Bot App User User Local ISP proxy Office IP:Y IP:X IP:A • • •
- 25. Hacktivism Unidentified UserUser Coffee shop BF Bot App User User Local ISP proxy Office IP:Y IP:X IP:A ASM DID: 70 ASM DID: 60 ASM DID: 50 ASM DID: 20ASM DID: 30 ASM DID: 40 ASM DID: 1ASM DID: 2ASM DID: 3 • •
- 26. • • • •
- 29. • • •
- 30. • • • • • • • •
- 31. • • • • • • •
- 32. • to the URL • • by % • by fix
- 33. • from the source IP’s • by % • by fix
- 34. • Measurement for both criteria can be fine tune • Failed attempt threshold – ratio / fixed • •
- 35. 1. • A • B 2. • A • B 1 2 B A
- 36. Hacktivism BF Bot Unidentified User User Source IP‘s Users n Bots App User If reached thresholds for IP based then: Only X amount of request is allowed from this IP Example: Any IP that fails more then 2 times / 10 seconds will send only history amount of request = attack slow down + less false positive
- 37. Hacktivism BF Bot Unidentified User User Source IP‘s Users n Bots User If reached thresholds for URL based then: Only history amount of request is allowed to this URL for all IP’s App Example: Any IP that access the URL that counted 10 failed login / 10 seconds will be rate limit to the history
- 38. Hacktivism BF Bot Unidentified User User Source IP‘s Users n Bots App User Source IP that has 2 failed login / 10 sec will get CSID to see browser – pass / bot – block Example: Any IP that failed login 2/10 sec (or 10% increase of ratio) will get CSID and if will not qualify be blocked
- 39. Hacktivism BF Bot Unidentified User User Source IP‘s Users n Bots User ANY IP that failed login threshold reached will get CSID App Example: URL failed login reached 10 per 10 second so every IP will get CSID and will be blocked if not a browser
- 41. • • • • • • •
- 42. Good coverage • Main changes: • Same concept for access validation – sting to failed login • Source based can track : • User name • Device ID • IP address • Distributed mode • Credentials Stuffing • Easy to configure with simple thresholds
- 43. •
- 47. • • By source IP – measure RPS increase from the IP • By Device ID – measure RPS increase of a device ID • By Geolocation – measure PRS increase from country • By URL – measure RPS increase on a URL • • • • • Is stress based good in this case ? No
- 48. AVR top URLs on DoS visibility
- 50. • • • • • • • • • • Can Web scarping detect brute force ? Yes, it is also owns anomalies and anti bot mechanism
- 51. This is what happened when I did BF and WS was on
- 54. Simple & Impersonating Bots Bots with cookies / JS capabilities Bots acting as full browser Client Capabilities CAPTCHA Challenge CSID Bot Signatures ASM Signatures CAPTCHA Challenge
- 56. Client Side Integrity Defense - Flow User Browser DoS Profile App First main page access HTTP Request (no cookie) Computational challenge Solve challenge/ set cookie with time stamp HTTP Request (cookie) Reconstruct request Original HTTP Request HTTP Response (main page) HTTP Response (main page) More object requests (cookie) Validate cookie: format & time stamp More object requests More responses More responsesDeliver page • This is the flow and timeline of events. • Transparent to the user, done under the hood • Note that request is held at the ASM and not arriving the app until checks are satisfied • Not all checks are described here, some are internal IP. Send JS test
- 57. User Browser DoS Profile App Request login.php GET /login.php (no cookie) CAPTCHA HTML +JS response Cookie with time stamp Solve CAPTCHA CAPTCHA rendered Submit CAPTCHA solution GET /mypage.php + CAPTCHA cookie Verify CAPTCHA solution Validate cookie GET /mypage.php HTML of mypage.php HTML of mypage.php mypage.php rendered Send CAPTCHA • While the system is still in a state of attack the offending source will be presented with another CAPTCHA every 5 min. • Same as CSID, request is held at the ASM until CAPTCHA is solved
- 58. User Browser DoS Profile App First request GET /sell.php GET /sell.php (no cookie) Client Capabilities Challenge response Return Client Capabilities verification Reconstruct request HTTP Response (cookie) HTTP Response GET /img.png (cookie) Blank page & Set cookie Original HTTP Request + cookie Authenticate and decrypted JS results, Compute browser score based on result Determine an action based on score GET /img.png (cookie) Validate cookie: format & time stamp
- 61. Run first then ASM signatures DNS setting – exempt good bots from testing thus reduce FP e.g. google bot
- 64. • • • • •
- 66. • •
- 67. • • • • •
- 69. when HTTP_REQUEST { if { ( [HTTP::uri] eq "/index.aspx" && ![HTTP::header exists "Referer"] && [[HTTP::header “User-Agent”] contains “Firefox/2.2.2”] ) } { # log and drop the request as invalid log local0. “INCIDENT - Blocking request from [IP::remote_addr]" } else { #Allow this request as a Referer is present } }
- 70. •
Hinweis der Redaktion
- This training is provided by the F5 Security Incident Response Team (SIRT) Please E-mail any security related inquiries to <CLICK> f5sirt@f5.com
- I have used my own DSMM – Defensive Security Management Methodology . The book is on the way
- To consider it failed login: - it this true – i.e. true condition = failed login
- Can drop valid users. valid users are for example IP that fails 4 time per 1 minute – likely or not ? It depends
- Does CSID will be send to only those who access the URL or for every URL
- Is stress based good in this case ? No
- This animation illustrates the sequence of events from the initial user request through successful completion of the CAPTCHA challenge. It is similar to Client side integrity defense concept. Another advantage is that by sending CPAPTHA to client that their thresholds increase will have an effect of delaying the user since it will take time until solving the CAPTCHA challenge. Once the CAPTCHA challenge is solved the client will have a cookie that will be validate each request for format and time stamp. After 5 minutes ASM will issue a new CAPTCHAto this client ( keep in mind that this client (source IP or other detections) is exceeding the defined thresholds in the IP detection criteria therefore we can send him CAPTCHA’s as he is a suspect for causing dos)
- The first request arrives to the proactive bot defense with no cookie. The proactive bot defense holds the request and sends the Client Capabilities script back to the browser. Note that the request doesn’t arrive at the server at this point. The java script then scans the browser and returns results to the proactive bot defense . Proactive Bot Defense then authenticates and decrypts the java script. The browser score is computed based on the two database comparisons, and finally the action that will be taken is determined. If the score is between 0 and 59, then another response is sent to the browser with a set cookie inside a blank page. Then the request arrives to the proactive bot defense with the cookie and the original request is sent to the web server. The following requests will be validated for cookie format and timestamp. The entire flow describe here is transparent to the user and causes only a minor delay from the web server.
- For any question or feedback please send an email to lior@f5.com or the f5sirt@f5.com I’m also at: https://twitter.com/Rotkovitch https://www.linkedin.com/in/lior-rotkovitch-b796909/ http://cybersoc.net