Brute force attacks are attempts to break in to secured areas of a web application by trying exhaustive, systematic, user name/password combinations to discover legitimate authentication credentials.
To prevent brute force attacks, the Application Security Manager™ tracks the number of failed attempts to reach the configured login URLs. The system considers it to be an attack if the failed logon rate increased at a very high rate or if failed logins reached a certain number.
You can add default brute force protection when creating a security policy using the Deployment wizard. If you do, the policy simply needs to know for which login pages to enforce brute force protection. The system creates a default brute force configuration that applies to all defined login URLs that are not associated with any other brute force configuration.
You can have the system detect and create login pages automatically, or you can create them manually. But at least one login URL must be defined in the security policy to protect against brute force attacks. Then you can either use the default brute force configuration or create a new configuration.
Brute force security includes both session-based and dynamic brute force protection.
You can configure Application Security Manager™ (ASM) to protect against brute force attacks. The system detects brute force attacks based on failed login rates. Therefore, the security policy needs to have login pages for the web applications you want to protect. ASM can create login pages automatically by observing traffic, or you can create them yourself.
If the Learning Mode is Manual, the login page is added to the learning suggestions on the Traffic Learning screen where you can add it to the policy. The login pages in the security policy are included in the Login Pages List.
|?||Any single character.|
|[abcde]||Exactly one of the characters listed.|
|[!abcde]||Any character not listed.|
|[a-e]||Exactly one character in the range.|
|[!a-e}||Any character not in the range.|
|None||The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.|
|HTML Form||The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.|
|HTTP Basic Authentication||The user name and password are transmitted in Base64 and stored on the server in plain text.|
|HTTP Digest Authentication||The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.|
|NTLM||Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.|
|JSON/AJAX Request||The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.|
For brute force attack prevention to work, at least one login URL has to be defined. You can define login URLs, or you can let the system detect them automatically (see the sections on creating login pages).
The system detects and mitigates brute force attacks based on statistical analysis of failed login attempts. The system protects all defined login pages in the security policy. If you create a custom configuration, the system protects that particular login URL as specified in the configuration. All other login URLs use the default configuration unless you disable it.
Before brute force attack prevention can work, at least one login URL must be defined. You can define login URLs, or you can let the system detect them automatically (see the sections on creating login pages). To use session-based protection settings, the Brute Force: Maximum login attempts are exceeded violation must be set to block on the Learning and Blocking Settings screen.
|Off||The system does not check for brute force attacks.|
|Alarm||The system logs brute force attack data.|
|Alarm and Block||In addition to logging the attack data, the system drops requests from the offending IP address, or requests to attacked URLs, depending on how the attack was detected.|
|Minimum Failed Login Attempts||Indicates an attack if, for all IP addresses tracked, the number of login attempts is equal to, or greater than, this number. This setting prevents false positive attack detection. The default value is 20 login attempts per second.|
|Failed Logins Attempts increased by||Indicates an attack if, for all IP addresses tracked, the ratio between the detection interval and the history interval is greater than this number. The default value is 500 %.|
|Failed Login Attempts Rate reached||The system considers unsuccessful login attempts to be an attack if, for all IP addresses tracked, the login attempt rate reaches this number. The default value is 100 login attempts per second.|
|Source IP-Based Rate Limiting||Drops requests from suspicious IP addresses. The system limits the rate of requests to the average rate prior to the attack, or lower than the absolute threshold specified by the IP detection TPS reached setting. The default is enabled.|
|URL-Based Rate Limiting||Indicates that when the system detects a URL under attack, Application Security Manager™ drops connections to limit the rate of requests to the URL to the average rate prior to the attack. The default is enabled.|
The system detects and mitigates brute force attacks based on statistical analysis of failed login attempts to the specified login URL. The system protects that particular login URL as specified in the custom configuration. All other login URLs associated with the security policy are protected using the default configuration unless you disable it.