Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Nov 06, 2015

ASM and targeted form exploatation

Hi,

 

I am looking for real life experiences/advice related to protecting against very precise automation based form filling. Main point here is that whole process is not violating any application logic, is not using fake data, is not used to exhaust server resources. This is completely legitimate transaction using real data to fill form. People behind are very skilled in circumventing any new protections. All build in features of ASM/LTM are already deployed - security policies (not of great use as there are not really any serious attacks launched), DoS profiles, Web Scraping (those are catching some attempts to auto fill and post forms), connection limits on virtual etc. We are not talking about some generic bots or scripts used to detect from and fill it with some crap data. All kinds of default challenges like redirect, java script, capthcha are circumvented very fast. I suspect that headless browsers are used for that (like PhantomJS or CasperJS) so mouse movements or keystrokes with randomization can be used here.

 

Any ideas/advises what kind of additional protection can be used? Especially how to reliably detect automation attempts using mentioned headless browsers?

 

Piotr

 

10 Replies

  • I highly suggest trying version 12 and using Proactive Bot Detection in the L7 DDoS profile. There are significant improvements in v12 with respect to ability to detect headless browsers such as PhantomJS, etc.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Hi, Thanks for info, have you any info what exactly was implemented - or as I guess it's F5 secret? I am still wondering how it can stand up against targeted attack performed by really skilled persons knowing that ASM is used for protection. Piotr
    • Michael_Koyfma1's avatar
      Michael_Koyfma1
      Icon for Cirrus rankCirrus
      Piotr, Yes, as you guessed, it is the F5 secret. In general, as you know, for every malicious activity, there is a countermeasure - and F5 continues to improve the countermeasures against various types of bots and automated hacking mechanisms. While nothing is guaranteed, I suggest you try out v12 and see if the new features are effective in combating the activity you're seeing.
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Hi, Thanks for info. Maybe you know any good links (not only F5) about identifying and blocking boots based on headless browsers? Piotr
  • I highly suggest trying version 12 and using Proactive Bot Detection in the L7 DDoS profile. There are significant improvements in v12 with respect to ability to detect headless browsers such as PhantomJS, etc.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Hi, Thanks for info, have you any info what exactly was implemented - or as I guess it's F5 secret? I am still wondering how it can stand up against targeted attack performed by really skilled persons knowing that ASM is used for protection. Piotr
    • Michael_Koyfman's avatar
      Michael_Koyfman
      Icon for Cirrocumulus rankCirrocumulus
      Piotr, Yes, as you guessed, it is the F5 secret. In general, as you know, for every malicious activity, there is a countermeasure - and F5 continues to improve the countermeasures against various types of bots and automated hacking mechanisms. While nothing is guaranteed, I suggest you try out v12 and see if the new features are effective in combating the activity you're seeing.
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Hi, Thanks for info. Maybe you know any good links (not only F5) about identifying and blocking boots based on headless browsers? Piotr
  • Take a look at Distil Networks -- this is what they do, and they compliment (not replace) ASM