Advance WAF bot mitigations V13.1

1. F5 mitigations series by https://twitter.com/rotkovitch

2. • • • • • • • F5SIRT@f5.com • https://f5.com/support/security-incident-response-team-sirt F5 Security Incident Response Team (F5 SIRT)

3. 1. • • 2. • • 3.

4. 1. 2. 3. 4. 5. 1 2 3 4 5

5. • 1. By source IP 2. 3. 4. 5. • 1. 2. 3. i. ii.

6. Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Source IP’s IP:X.X.X.X Servers Database Web Site IP:X.Y.Z.A IP:A.B.C.D ASM measures requests increase from Source IP’s

7. 1.Detection 2. Prevention policy Ratio Fix

8. Detection Prevention policy Ratio Memory : Long (History Interval): 50 TPS Short (Current Interval): 370 TPS TPS increased by: ((370 - 50) /50)*100 = 640% 640% > 500% = True Safety belt to prevent false positives

9. Detection Prevention policy Fix

10. • 1. 2. By Device ID 3. 4. 5. • 1. 2. 3. i. ii.

11. Unidentified User User Users Or Bots Web Bot IP:X.X.X.X Servers Database Web Site • Measuring requests increase on a Device ID’s ASM: fingerprint source and give the Device ID’s ID:LK142 ID:LQ87A ID:N/A

12. Detection Prevention policy Ratio Fix

13. • 1. 2. 3. By geolocation 4. 5. • 1. 2. 3. i. ii.

14. Measuring requests increase from a specific country Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site

15. Detection Prevention policy Ratio

16. • 1. 2. 3. 4. By URL 5. • 1. 2. 3. i. ii.

17. App URL’s & objects http://site.com/sell.php http://site.com/style.css http://site.com/login.php • Measuring requests increase on a URL Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site

19. • 1. 2. 3. 4. 5. By site wide • 1. 2. 3. i. ii.

20. Source IP’s Hacktivism Google Web Bot Unidentified User User Source IP‘s Users Or Bots Web Bot Servers Database Web Site App URL’s & objects • Measuring requests increase on both IP’s and URL’s

22. • 1. 2. 3. 4. 5. • 1. Client side integrity defense (CSID) 2. 3. i. ii.

23. User Client: Hey server, can I get the web page ? ASM: first show me that you are a browser ? if a browser: Yes, I’m a browser If a bot: *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Blocked Server Web Bot

24. Client Side Integrity Defense - Flow User Browser DoS Profile App First main page access HTTP Request (no cookie) Computational challenge Solve challenge/ set cookie with time stamp HTTP Request (cookie) Reconstruct request Original HTTP Request HTTP Response (main page) HTTP Response (main page) More object requests (cookie) Validate cookie: format & time stamp More object requests More responses More responsesDeliver page Valid source: • The client support JavaScript • The client support HTTP cookies • The client calculate a JS challenge Not valid: • Didn’t pass the above • Cookie is wrong format – Block (RST) • Time stamp expired – Block (RST) Send JS test

25. • • • • • • •

26. • 1. 2. 3. 4. 5. • 1. 2. CAPTCHA 3. i. ii.

27. User Web Bot Client: Hey server, can I get the web page ? ASM: no, first answer a CAPTCHA challenge and show me your human !If a user: OK, I answered If none user: Ha ? *^lkjdfg@#$ ASM: ok, you are allowed. Here is the web page you asked for. ASM: Bye Bye – Block him dude ! Server

28. User Browser DoS Profile App Request login.php GET / mypage.php (no cookie) CAPTCHA HTML +JS response Cookie with time stamp Solve CAPTCHA CAPTCHA rendered Submit CAPTCHA solution GET /mypage.php + CAPTCHA cookie Verify CAPTCHA solution Validate cookie GET /mypage.php HTML of mypage.php HTML of mypage.php mypage.php rendered Send CAPTCHA • While the system is still in a state of attack the offending source will be presented with another CAPTCHA every 5 min. • Same as CSID, request is held at the ASM until CAPTCHA is solved

29. Ultimate solution for identifying human or bot Send challenge to every IP that reached IP detection criteria thresholds Note: Some argues that CAPTCAH is not a good usability… But it works well !

30. • 1. 2. 3. 4. 5. • 1. 2. 3. Request blocking i. Rate limit ii. Request block

31. Client: Hey server, can I get the web page ? ASM: (a) no, I’m limiting your requests sending rate Server Just 1 request per minute ? ASM: (b) no, I’m totally blocking your

32. While CSID and CAPTCHA try to understand who is the offending source (bots or human) request limiting is indifferent to the “identity” and limits / blocks the offending sources. Request Blocking: •Blocking: will block all IP’s from the offending source •Rate Limit: limit the amount of allowed request from the offending source

33. Simple Bots Impersonating Bots Full browser Bots Client Capabilities CAPTCHA Challenge CSID Bot Signatures ASM Signatures CAPTCHA Challenge

34. ASM: yes, I have your signature. Sorry mate you are blocked. I’m a simple Bot Simple bot can be any command line tool such as: curl , wget , ab Server

35. Benign categories Disable specific bot signatures

36. Security ›› Options ›› DoS Protection ›› Bot Signatures Lis

37. • • • • • •

38. Gohogle I’m a google Bot ha ha ha ASM: let’s see if you are. I’m doing Reverse DNS lookup. DNS Server Gohogle Bummer ASM: you are not google bot Bye Bye -> block this creature ! ASM: Hey DNS, who’s this guy ? DNS: no one important Server DNS Server Googlebot/2.1 (+http://www.google.com/bot.html) Google I’m a google Bot

39. I’m a Bot that simulate a browser ASM: ok, what are your capability ? If you will not answer right you will have to answer a CAPTCHA or / and be blocked You are not human, byyyye -> block this unhuman ! Bummer Capability ? CAPTCHA ? Server

40. • If Block Suspicious Browsers is unchecked  send CS Challenge • If Block Suspicious Browsers is checked and CAPTCHA is checked  send Client Capabilities challenge and give it a score: If score in doubt send a CAPTCHA for human verification • If Block Suspicious Browsers is checked but CAPTCHA Challenge is unchecked  do not send CAPTCHA and only block if the score is more than a human

41. User Browser DoS Profile App First request GET /sell.php GET /sell.php (no cookie) Client Capabilities Challenge response Return Client Capabilities verification Reconstruct request HTTP Response (cookie) HTTP Response GET /img.png (cookie) Blank page & Set cookie Original HTTP Request + cookie Authenticate and decrypted JS results, Compute browser score based on result Determine an action based on score GET /img.png (cookie) Validate cookie: format & time stamp

42. Capabilities script Evaluating request 0 – 59 – browser 60 – 99 – Unknown 100 – Bot • If the score is from 0 to 59 it is assumed to be a browser and the request can pass through. • If the score is between 60 to 99 it is declared unknown and a CAPTCHA is sent to unknown sources. If the CAPTCHA challenge is solved the client is allowed in. A failed CAPTCHA challenge results in a connection reset. • If the score is 100 then the request is reset The characteristics by which the score is set are F5 internal intellectual property, but in general a browser should own certain features that are expected from a browser. Missing headers, obsolete User Agents, or badly formed URLs are a few indicators of bot activity.

43. • • • •

44. Passed Browser Challenge Allow Passed CAPTCHA Challenge Allow Passed Redirect Challenge Allow Expired Browser Challenge Browser Challenge Failed Browser Challenge TCP RST Bad Response to CAPTCHA: Incorrect or missing response CAPTCHA Challenge Security ›› Event Logs ›› Bot Defense ›› Request

45. # EXAMPLE: enable client-side challenges on a specific URL when BOTDEFENSE_REQUEST { if {[HTTP::uri] eq "/login.php"} { BOTDEFENSE::cs_allowed true } } https://devcentral.f5.com/wiki/iRules.BOTDEFENSE.ashx # EXAMPLE: allow CSID actions on URLs with the .html extension when BOTDEFENSE_REQUEST { if {[HTTP::uri] ends_with ".html"} { BOTDEFENSE::cs_allowed true } }

Advance WAF bot mitigations V13.1

You are reading a preview.

Check these out next

Advance WAF bot mitigations V13.1

More Related Content

Slideshows for you (20)

Similar to Advance WAF bot mitigations V13.1 (20)

More from Lior Rotkovitch (13)

Recently uploaded (20)