mitigation of brute force attacks using ASM for lync autodiscover

Question

Hi
we do use LTM as reverse proxy to publish lync autodiscover service externally. however it cause a security issue as any person can download lync mobile client and cause account lockout after multiple try with worng password. is there any way to protect ntlm authentication during the autodiscover process by using ASM. (we are running lync 2010 in hybrid mode)
the below article explain a way to mitigate the risk but did any one used it for Lync ? 
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/21.html&nbsp;
we do profer to use ASM as Irules looks to be complicated &nbsp;

chris_grant · Answer

You might be able to do this, but the general consensus from most of my colleagues is that this is generally a bad idea.  Lync is only partially HTTP and the ASM will simply refuse to pass any traffic that is not RFC compliant HTTP traffic.  You might be able to protect the authentication, but you will still need an iRule to disconnect the ASM once that's done.  &nbsp;
Also be aware that our Brute Force protection protects a specific URL, so you will need to know which page Lync is trying to hit for authentication. &nbsp;

michael_koyfma1 · Answer

Have you seen this great solution by Yann?  https://devcentral.f5.com/codeshare/dos-and-ntlm-brute-force-protection-for-https-flow-904?tag=programmability+contest&nbsp;
Should help you accomplish what you're looking for.&nbsp;

guiz49_261118 · Answer

Hello
thanks for your replies.  I was able to configure dynamic brute force attack and it does reject connection after few tries. 
however we are trying now to enable session tracking but session tracking doesn't pick any attempt to login....&nbsp;

guiz49_261118 · Answer

Hello
thanks for your replies.  I was able to configure dynamic brute force attack and it does reject connection after few tries. 
however we are trying now to enable session tracking but session tracking doesn't pick any attempt to login....&nbsp;

Forum Discussion

mitigation of brute force attacks using ASM for lync autodiscover

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Mitigating OWASP Web Application Risk: SSRF Attack using F5 XC Platform

Mitigating OWASP Web Application Risk: Broken Access attacks using F5 Distributed Cloud Platform

F5 Distributed Cloud L3-L7 DDoS Mitigation

CitrixBleed Mitigation CVE-2023-4966