topic Re: Brute Force Attack and IP Ban in WAF

Brute Force Attack and IP Ban

nfrontin — Mon, 08 Apr 2024 14:04:05 GMT

Hello,

We have done some testing with brute force attack, thousands of requests from a single IP.

Most of complex attacks (XSS, Path Traversal, Injection ...) were blocked but the others were classified and let go through by appsec.

Server behind was suffering with the amount of request.

Is there a way for the appsec to handle that kind of thing ? Saying ok, this IP has a bad overall behaviour, too many bad requests so it is banned for an amount of time.

Best regards

Nicolas

Re: Brute Force Attack and IP Ban

yuvalmamka — Tue, 09 Apr 2024 08:20:00 GMT

Hi,

The WAF engine decides to block or not based on indicators we found and additional data we learn.
In case we see new requests, we didn't learn before, the decision will be made based on the indicators and the information we learned so far.

The IP will have a low user reputation as we will recognize it has a lot of malicious requests.

In this case, I can recommend turning on the Rate Limit capability and to set up a limit to the number of requests from a specific source to a specific timeframe.