Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, user name/password combinations to discover legitimate authentication credentials.
To prevent brute force attacks, the Application Security Manager™ tracks the number of failed attempts to reach the configured login URL. The system saves the information in two intervals:
You can configure both session-based and dynamic brute force protection.
You can configure the Application Security Manager™ to protect against brute force attacks. The system detects brute force attacks based on failed login rates. Therefore, you need to create login pages for the web applications you want to protect.
|HTML Form||The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.|
|HTTP Basic Authentication||The user name and password are transmitted in Base64 and stored on the server in plain text.|
|HTTP Digest Authentication||The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.|
|NTLM||Microsoft® LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.|
|Off||The system does not check for brute force attacks.|
|Alarm||The system logs brute force attack data.|
|Alarm and Block||In addition to logging the attack data, the system drops requests from the offending IP address, or requests to attacked URLs, depending on your configuration.|
|Minimum Failed Login Attempts||Indicates an attack if, for all IP addresses tracked, the number of login attempts is equal to, or greater than, this number. This setting prevents false positive attack detection. The default value is 20 login attempts per second.|
|Failed Logins Attempts increased by||Indicates an attack if, for all IP addresses tracked, the ratio between the detection interval and the history interval is greater than this number. The default value is 500 %.|
|Failed Login Attempts Rate reached||The system considers unsuccessful login attempts to be an attack if, for all IP addresses tracked, the login attempt rate reaches this number. The default value is 100 login attempts per second.|
|Source IP-Based Rate Limiting||Drops requests from suspicious IP addresses. The system limits the rate of requests to the average rate prior to the attack, or lower than the absolute threshold specified by the IP detection TPS reached setting. The default is enabled.|
|URL-Based Rate Limiting||Indicates that when the system detects a URL under attack, Application Security Manager™ drops connections to limit the rate of requests to the URL to the average rate prior to the attack. The default is enabled.|