Forum Discussion

Jason_Chapman_3's avatar
Jason_Chapman_3
Icon for Nimbostratus rankNimbostratus
Feb 19, 2014

Raise ASM violation based on return JSON element value

I have a strange requirement to be able to shun (block connections from a source IP) for a fixed time period based on the number of times a certain value is returned to a JSON request (a return value against a parameter in the JSON response). I have been trying to do this by triggering an ASM violation for this pattern but its proving tricky.

 

The sample message for example would be:

 

http://rest.mydomain.com/mobileapp/mobile?action=DoSomething&Serial=111111111&typeid==1&RequestType=1111111

 

Response may be (this isn't well formed it just to illustrate the concept);

 

jsonCallbackData({"response":{"resultCode":"1112","resultType":"1111111"}}};

 

Logic I am trying to embed for example is something like should a source IP have a resultCode of 666 returned more that 10 times in 5 minutes raise a security violation (and block for a set period of time).

 

I have tried a variety of ideas, has any tackled a simular problem?

 

Thanks for your help

 

2 Replies

  • I haven't tackled a similar problem, but you could try attacking this one with an iRule. A while back, Jason Rahm created an iRule that does something similar to the idea that you are describing. Granted, Jason's iRule was targeted at defeating an SSL Renegotiation attack, but the logic is very similar.

    if client attempts renegotiation more than 5 times in one minute, silently drop the connection

    Here's a link to an article that outlines the iRule and logic behind it: https://devcentral.f5.com/articles/ssl-renegotiation-dos-attack-ndash-an-irule-countermeasure.U2lNxCjmqZc

    I'm thinking you could do something similar.

    if IP address returns resultCode"666" > 10 times in 5 minutes, block the IP for x minutes

    We could help with iRule syntax if you wanted to go this route.

  • Late on this one, but you could also try :

     

    • creating a new ASM violation + signature matching you use case
    • use ASM build in session tracking/delay blocking

    last one allow to block a user X minutes if he reach Y amount of violations that you can specify.