-
Security -> Application Security: Anomaly Detection: Brute Force Attack Prevention
- Login Page
- IP Address Whitelist (IP Address/Subnet Mask)
- Session-based Brute Force Protection (Blocking Settings – Input Violations/Brute Force: Maximum login attempts are exceeded)
- Login Attempts from The Same client (5)
- Re-enable Login After (600) seconds – 10 minutes
- Dynamic Brute Force Protection (uses statistical analysis)
- Operation Mode (Off/Alarm/Alarm and Block)
-
Detection Criteria (Failed Login Attempts) – Global
- Minimum FLA (20) per second
- FLA increased by (500) %
- FLA Rate reached (100) per second
-
Suspicious Criteria (Per IP Address)
- FLA increased by (500) %
- Rate reached (20) per second
-
Prevention Policy (first method found from the list is used)
- Source IP-Based Client-Side Integrity Defense (JavaScript is used to identify if client is using a legal browser as opposed to a script posing as a legal browser)
- URL-Based Client-Side Integrity Defense (JavaScript is used)
- Source IP-Based Rate Limiting
- URL-Based Rate Limiting
- Prevention Duration (Unlimited by default)
-
Security -> Application Security: Anomaly Detection: Web Scraping
-
Prerequisites:
- DNS server must be listed under DNS lookup server list
- Client browsers need to have JavaScript enabled, and support cookies for Anomaly Detection to work
- Consider disabling response caching. If enabled, system does not protect cached content
- ASM does not perform scraping on legitimate search engine traffic. If the web app has its own search engine it should be added to the system under Security > Options> Application Security > Advanced Configuration > Search Engines
- DNS server must be listed under DNS lookup server list
-
Methods/Options
-
Bot Detection
- Determine whether web client is human or a web robot
- Uses Capture Rapid Surfing defaults
- Off/Alarm/Alarm and Block
-
Session Opening
- Too many sessions originating from specific IP
- The system can detect session opening anomalies only if clients have JavaScript enabled
-
Off/Alarm/Alarm and Block
-
Detection Criteria (Sessions opened per second)
- increased by (500) %
- reached (50)
- Minimum sessions opened per second threshold detection (25)
- Prevention Duration (1800) – 30 minutes
-
-
Session Transaction Anomaly
- Suspicious amounts of transactions within a particular session
-
Off/Alarm/Alarm and Block
-
Detection Criteria (Session transactions)
- above normal by (500) %
- reached (400)
- Minimum sessions transactions threshold detection (200)
- Prevention Duration (1800) – 30 minutes
-
-
Fingerprinting usage (unchecked by default)
-
If the system fails to detect session opening anomalies by IP addresses, ASM cookies, and persistent device identification then the system detects browsers and bots by collecting browse attributes
- Detects if browser agent is being forged/curl command
-
Suspicious Client (unchecked by default) – detects scraper extensions installed in a browser
- Off/Alarm and Block
-
-
Persistent Client Identification (unchecked by default)
- Log and/or prevent attackers from circumventing web scraping by resetting sessions and sending requests
- Log and/or prevent attackers from circumventing web scraping by resetting sessions and sending requests
-
IP Address Whitelist (to avoid legitimate users/internal/external scanners from triggering these alarm/blocks)
- IP Address/Subnet Mask
-
-
Recent Comments