- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CloudGuard - WAF
- :
- Re: Brute Force Attack and IP Ban
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brute Force Attack and IP Ban
Hello,
We have done some testing with brute force attack, thousands of requests from a single IP.
Most of complex attacks (XSS, Path Traversal, Injection ...) were blocked but the others were classified and let go through by appsec.
Server behind was suffering with the amount of request.
Is there a way for the appsec to handle that kind of thing ? Saying ok, this IP has a bad overall behaviour, too many bad requests so it is banned for an amount of time.
Best regards
Nicolas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The WAF engine decides to block or not based on indicators we found and additional data we learn.
In case we see new requests, we didn't learn before, the decision will be made based on the indicators and the information we learned so far.
The IP will have a low user reputation as we will recognize it has a lot of malicious requests.
In this case, I can recommend turning on the Rate Limit capability and to set up a limit to the number of requests from a specific source to a specific timeframe.