F5 BIG-IP ASM - Brute Force and Web Scraping
Today, I want to write about two mitigation mechanisms that, I think, they are not used enough in enterprises. First, brute force attacks can be stopped easily with the free tool fail2ban but we can also use WAF appliances for blocking this kind of attacks. On the other hand, web scraping attacks can also be stopped easily with WAF appliances but most IT engineers don’t know it and, therefore, their web sites are not protected from competitors. These are two attacks that we can mitigate with F5 BIG-IP ASM.
Brute force attacks are attempts to discover credentials to break into services such as web services, file services or mail services. For example, malicious users and bots may be interested to get into secure areas and, as a result, they’ll need to discover legitimate credentials. How does F5 ASM protect web sites against brute force attacks? We have to define a login page, for instance user_login.php, and, thereafter, we have to apply the brute force protection to the security policy to know what to do when a brute force attack is detected. We can watch the configuration in the next video:
Web scraping attacks are sophisticated attacks whose aim is to obtain large amounts of data from web sites to extract proprietary data directly out of HTML such as price tracking, directory listings to get leads and marketing information, searching images, financial information, etc. How does F5 ASM protect companies against web scraping attacks? We have to enable Bot Detection and, thereafter, we have to configure interval and period times to detect bots. For example, if a client loads 30 different pages in 30 seconds, it will be unusual and it will be defined as a bot. We can watch the configuration in the next video:
However, there are some times that we may also want to deny access by countries because we are detecting too much attacks which come from a specific origin country. Carefully, if we don’t have customers or potential customers in such country, we’ll be able to deny traffic from the “malicious” country. In addition, we’ll be also able to deny traffic from Anonymous Proxies. How does F5 ASM protect web applications by geolocation? It is easy. We’ll define disallowed location and allowed location into the security policy. That’s all! We can watch the configuration in the next video:
Regards my friends and drop me a line with the first thing you are thinking.