Forum Discussion

Erwin_25552's avatar
Erwin_25552
Icon for Nimbostratus rankNimbostratus
Nov 19, 2014

Bruteforce mitigation on JSON parameters

Hi All,

 

I would like to know the possibilities to protect a webserver,against bruteforce attacks, who uses JSON parameters. In the ASM, the default option is, to protect a loginpage. The webapplication we want to protect, uses JSON parameter. The request looks like this :

 

Content-Length: 84 Proxy-Connection: keep-alive Content-Type: application/json; charset=utf-8 User-Agent: [ics]:[iPad]:[2.1]:[20141103]:[1]:[Retina] Connection: keep-alive

 

{"cardPostFix":"0097","postalCode":"1112CN","houseNumber":"5","expiryDate":"08\/18"}

 

There is a possibility to do something with JSON (JSON profiles) but this concentrate on only the data and lenght that passes the ASM. Not bruteforce.

 

Is there a basis iRule for this to exam this kind of mitigation. I looked for some and find one(POST Request Exponential Backoff), but I'm not sure this is the right way to implement a bruteforce mitigation.

 

Thanks in advance. Erwin

 

ASM Advanced WAF
deployment
design
JSON
security

4 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 19, 2014

    Can you clarify what your definition of a brute force attack is please? Are these POST requests? Is a HTTP error returned? Are you more concerned about multiple valid requests but over a short time period etc. etc

     

  • Erwin_25552's avatar
    Erwin_25552
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2014

    Hi. The definition of these bruteforces is protect the webserver from multiple request (valid or not valid) from one source in a short of time. The are certain POST request.

     

  • Erik_Novak's avatar
    Erik_Novak
    Icon for Employee rankEmployee
    Nov 24, 2014
    Hi Erwin, you should be able to configure protection against multiple requests from a single source by configuring a login page and then defining thresholds for it. I don't think you need to worry about JSON parameter complications for this. In ASM, go to Application Security>Anomaly Detection>Brute Force Attack Prevention, and then create a page that you want to protect. You can specify exactly how many attempts from the same client will be allowed.
  • Marc_LeBeau's avatar
    Marc_LeBeau
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2015

    Have you looked at Project BAIU? F5 is considering hard baking this into the product still. It was designed for brute forcing and is proven to be incredibly accurate and effective plus you can configure just how basic or advanced you want it. The user ID extraction iRule focuses on forms and normal parameters to extract user IDs. If you want it to do JSON, then change one of the string maps "string map \x2D\x2D\x2D\x2D\x2D \x26" to "string map \x22\x3A\x22 \x26 and then you'll be parsing out JSON data and rate limiting it i.e. preventing brute forcing and heavy hitters. marclebeauaz@yahoo.com if you need more info about this suite of iRules.

     

    Project BAIU on DevCentral

     

    Project BAIU Home Page including the 5 million IP/network blacklist