Malicious Users

• Select Web App & API Protection service on the Home page.

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.

• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.

• Go to the Common Security Controls section.

• Select Enable in the Malicious User Detection field.

• Select Save and Exit.

• Select the Shared Configuration service.
• Navigate to Security > AI & ML > App Types. Select Add App Type. Enter a name for the app type in the metadata section.
• Select Add Item for the AI/ML Feature Type field in the Application Type Features section.
• Use the AI/ML Feature Type drop-down and select Malicious User Detection.
• Select Save and Exit.

• Switch to the Web App & API Protection service and change to the desired namespace.
• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.
• Select Add label in the Labels field in the Metadata section.
• Select ves.io/app_type as the key and name of the app type you created in previous step as the value.
• Select Save and Exit.

• Using the Web App & API Protection service, go to Manage > AI & ML > App Settings and Select Add App setting.
• Enter a name and go to AppType Settings section. Select Add item.
• Select the Select app type drop-down and select the app type created in Step 1.
• In the Malicious User Detection section, select Configure to see the Malicious User Detection form. This form is pre-populated with the defaults; tune these settings per your needs.

This form shows the different problem categories used to identify a malicious user, sometimes including thresholds or sensitivity settings. By default, most methods of detecting malicious users are enabled. Based on a user's activities with respect to these problem categories, their threat level rises. Adjusting these parameters affects how much of an activity is required to raise their threat level. If the user stops activities in the problem categories for a period of time, their threat level is reduced. You can adjust that period of time by changing the Cooling Off Period at the bottom of the form.

• Include Namespace In Learning: The Distributed Cloud AI engine learns user behavior from traffic generated from all namespaces where virtual hosts and vK8s services are labelled with a valid apptype. Select Disable learning from this namespace to remove this capability for this namespace only.

• Malicious User Detection: This field enables or disables malicious user detection. If you disable the feature, no traffic will be flagged as coming from a malicious user. The various methods for malicious user detection are shown below. You can adjust how malicious user detection works using the following fields:

  • Forbidden Activity: A forbidden activity is any request that is denied through the service policy. This could be IP threat categories; forbidden domains and/or clients; HTTP methods, paths, query parameters, header; or more advanced matches. See Service Policy for more details. A user that exceeds the Forbidden Requests Threshold will be classified as malicious.

  • Failed Login Activity Choice: This feature keeps track of the number of login attempts that failed (specifically 401 Unauthorized response codes). When the number of login failures from a user exceeds the limit entered in the Login Failures Threshold, the user will be classified as malicious. A successful login will not reset the login failure count. Only the cooling off period (discussed below) will reset the malicious user status.

  • WAF Activity: WAF activity looks for known attack types and signatures, threat campaigns, malformed requests, and more. See Application Firewall for more details.

  • IP Reputation: This uses a database of IP addresses with questionable reputations. IP addresses earn their reputations by performing exploits or attacks, or these addresses might represent proxy servers, scanners, or systems that have been infected. The database contains IP addresses that—

    • Are considered malicious Botnets,

    • Have launched Denial of Service (DoS) attacks,

    • Host illegal material or activity,

    • Are associated with phishing web sites or web proxies,

    • And other malicious activities.

      • Bot Defense Activity: When this feature is enabled and the Bot Defense product is successfully configured on the load balancer, bot defense events will be included in the malicious user activity risk score calculation.

  • Rate Limiting: When this feature is enabled and the rate limiting product is successfully configured on the load balancer, users who exceed the configured rate limits will be included in the malicious user activity risk score calculation.

  • Cooling Off Period Setting: The Cooling off period (minutes) field specifies the number of minutes required to pass with no malicious activity in order to reduce a user's threat assessment. As each cooling off time period passes, a user's threat level will drop from high to medium, medium to low, and finally low to none. The cooling off period setting is used for all malicious user detection categories. The maximum Cooling off period is 120 minutes.

• Select Apply and to save the settings on the Malicious User Detection settings.
• Select Save and Exit to create the app settings object.

• Switch to the Web App & API Protection service and change to the desired namespace.
• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.

• Go to the Common Security Controls section.
• Select Enable for the Malicious User Mitigation And Challenges drop-down.
• Select one of the options from the Malicious User Mitigation Settings drop-down as per the following guidelines:

  • The Default option is selected by default. This default mitigation action is applied in the following manner:

    • For the activity with low threat level, JavaScript challenge with default configuration will be issued.
    • For the activity with medium threat level, Captcha challenge with default configuration will be issued.
    • For the activity with high threat level, user will be temporarily blocked.

• Select Custom and select a malicious user mitigation object from the Custom drop-down. You can also use the Add Item option to create a new object and in case creating new object, do the following:

  • Enter a name for this malicious user mitigation object. In the Rules section, select Add item.
  • Select a threat level for the Threat Level field and an associated mitigation action for the Action field. By default, Threat Level Low and Javascript Challenge are populated.

  

  • Select Apply to save the rule.

  • Use the Add item in the Rules section to add more rules.

  

  • When finished adding rules, select Continue to add the malicious user mitigation object to the malicious user mitigation configuration.

• Scroll down and select Save and Exit to save changes to the load balancer.

  Note: The instructions shown in this document apply default settings for challenges such as JavaScript. Enable Show Advanced Fields option to view more options such as policy-based challenges to customize the configuration.