Malicious Users

Objective

This guide provides instructions on how to enable Malicious User Detection and Mitigation for your applications using the security options in the HTTP load balancer. To know more about security and load balancing concepts, see Security and Load Balancer.

Enabling this feature includes enabling detecting malicious activities and associated mitigation steps. The mitigation steps include issuing JavaScript Challenge or Captcha Challenge or temporary blocking of the user. Using the instructions provided in this guide, you can enable malicious user detection and set mitigation steps as per your choice.


Prerequisites

The following prerequisites apply:

  • Note: For instructions on how to delegate your domain to F5 Distributed Cloud, see HTTP Load Balancer. See the vK8s Deployment guide for deploying your applications on the F5 Distributed Cloud's Network Cloud or Edge Cloud.

Configuration

You can enable detection in one of the following ways:

  • Using single load balancer Machine Learning (ML) configuration - In this, the detection is enabled using the default configuration as part of load balancer configuration. If you prefer to customize the malicious user detection settings, use the following method.
  • Using multi load balancer ML configuration - In this, detection is enabled as part of the app type configuration, which also allows customization of the malicious user detection settings.

You can enable mitigation also in one of the following ways:

  • Using the load balancer security monitoring, malicious user IP addresses can be added to allow/deny lists.
  • Using the load balancer advanced security configuration, automatic mitigation of malicious users is configured.

Note: When Malicious User Mitigation is enabled and malicious user behavior is tracked, the system tags the users into threat levels High, Medium, and Low. The system automatically reduces the score when there is no malicious behavior detected for the user for a period of time. This is known as the Cooling Off Period. This period indicates how long it takes to reduce from High threat level to Low. The system executes a score decay mechanism over a period of time for this to happen. The default Cooling Off Period is 20 minutes. This period can be changed only when the detection method is using multi load balancer configuration. In case of single load balancer, the Cooling Off Period cannot be changed.

The instructions provided in this guide show all the options of enabling malicious user detection and mitigation.


Enable Malicious User Detection

Log into F5® Distributed Cloud Console (Console) and do the following:

Using Single Load Balancer Configuration

For a single load balancer configuration, the detection is enabled only for that load balancer.

Step 1: Start editing load balancer configuration.
  • Select Web App & API Protection service on the Home page.

Home Page
Figure: Home Page

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

  • Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.

  • Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.

Step 2: Enable malicious user detection.
  • Go to the Common Security Controls section.

  • Select Enable in the Malicious User Detection field.

  • Select Save and Exit.


Using Multi Load Balancer Configuration

For a multi load balancer configuration, the detection is based on the malicious user configuration derived from the app type and app settings objects. The mitigation is applied to all load balancers applied with the app type label.

Step 1: Create app type object.
  • Select the Shared Configuration service.
  • Navigate to Security > AI & ML > App Types. Select Add App Type. Enter a name for the app type in the metadata section.
  • Select Add Item for the AI/ML Feature Type field in the Application Type Features section.
  • Use the AI/ML Feature Type drop-down and select Malicious User Detection.
  • Select Save and Exit.
Step 2: Apply app type label to the load balancer.
  • Switch to the Web App & API Protection service and change to the desired namespace.
  • Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
  • Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.
  • Select Add label in the Labels field in the Metadata section.
  • Select ves.io/app_type as the key and name of the app type you created in previous step as the value.
  • Select Save and Exit.
Step 3: Start creating app settings object.
  • Using the Web App & API Protection service, go to Manage > AI & ML > App Settings and Select Add App setting.
  • Enter a name and go to AppType Settings section. Select Add item.
  • Select the Select app type drop-down and select the app type created in Step 1.
  • In the Malicious User Detection section, select Configure to see the Malicious User Detecion form. This form is pre-populated with the defaults; Tune these settings per your needs.
Step 4: Optionally make changes to malicious user detection parameters

This form shows the different problem categories used to identify a malicious user, sometimes including thresholds or sensitivity settings. By default, all methods of detecting malicious users are enabled. Based on a user's activities with respect to these problem categories, their threat level rises. Adjusting these parameters affects how much of an activity is required to raise their threat level. If the user stops activities in the problem categories for a period of time, their threat level is reduced. You can adjust that period of time by changing the Cooling Off Period at the bottom of the form.

MUDChanges
Figure: Malicious User Parameters

  • Include Namespace In Learning: The Distributed Cloud AI engine learns user beavior from traffic generated from all namespaces where virtual hosts and vK8s services are labelled with a valid apptype. Select Disable learning from this namespace to remove this capability for this namespace only.

  • Enable Malicious User Detection: This field enables or disables malicious user detection. If you disable the feature, no traffic will be flagged as coming from a malicious user. The various methods for malicious user detection are shown below. You can adjust how malicious user detection works using the following fields:

    • Forbidden Activity Choice: A forbidden activity is any request that is denied through the service policy. This could be IP threat categories; forbidden domains and/or clients; HTTP methods, paths, query parameters, header; or more advanced matches. See Service Policy for more details. A user that exceeds the Forbidden Requests Threshold will be classified as malicious.

    • Falied Login Activity Choice: This feature keeps track of the number of login attempts that failed (specifically 401 Unauthorized response codes). When the number of login failures from a user exceeds the limit entered in the Login Failures threshold, the user will be classified as malicious. A successful login will not reset the login failure count. Only the cooling off period (discussed below) will reset the malicious user status.

    • WAF Activity Choice: WAF activity looks for known attack types and signatures, threat campaigns, malformed requests, and more. See Application Firewall for more details.

    • IP Reputation Choice: This uses a database of IP addresses with questionable reputations. IP addresses earn their reputations by performing exploits or attacks, or these addresses might represent proxy servers, scanners, or systems that have been infected. The database contains IP addresses that—

      • Are considered malicious Botnets,
      • Have launched Denial of Service (DoS) attacks,
      • Host illegal material or activity,
      • Are associated with phishing web sites or web proxies,
      • And other malicious activities.
    • Non-existent URL Activity Choice: This feature keeps track of the number of requests for an invalid path (specifically 404 Not Found response codes) and compares that number to the total throughput for the app to get a ratio of bad to good URL requests. This ratio is compared to an automatically calculated threshold (based on statistics for your application). The user is considered malicious when the current ratio exceeds the threshold. You can adjust this calculation in two ways:

      1. Select Include Non-Existent URL Activity using automatic threshold. The non-existent URL ratio threshold is automatically calculated based on statistics for your application. By default, the automatic threshold calculation is set to Medium sensitivity. You can adjust the sensitivity to Low sensitivity (meaning a higher ratio, or more invalid path requests, is required to classify a user as malicious) or High sensitivity (meaning a lower ratio will classify a user as malicious).
      2. Select Include Non-Existent URL Activity using custom threshold. Then, simply enter your desired ratio expressed as a percentage. For instance, if you enter 25, then the user will exceed the threshold if more than 25% of that user's requests are to a non-existing URL.
    • Cooling Off Period Setting: The Cooling off period (minutes) field specifies the number of minutes required to pass with no malicious activity in order to reduce a user's threat assessment. As each cooling off time period passes, a user's threat level will drop from high to medium, medium to low, and finally low to none. The cooling off period setting is used for all malicious user detection categories.

Step 5: Finish creating app setting object
  • Select Apply and to save the settings on the Malicious User Detection settings.
  • Select Save and Exit to create the app settings object.

Enable Malicious User Mitigation

Log into Console and do as per one of the following chapters.

Using Load Balancer Security Monitoring

Using load balancer security monitoring, you can add malicious user IP addresses to allow/deny lists. This is manual configuration of mitigation.

Step 1: Go to your load balancer security monitoring view.
  • Switch to Web App & API Protection service.

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

  • Select Apps & APIs > Security.

  • Select the load balancer of your choice from the list of load balancer beneath the graph. The dashboard tab is loaded by default.

Step 2: Start configuring malicious user mitigation.
  • Switch to the Malicious Users tab.
  • Select a user (IP address) from the list of malicious users on the left side. This will display activity from this user on the right side of the Malicious Users list:
    • The Suspicion Score chart shows a bar graph of activity time periods and their associated suspicious scores (the height of bar). Hover over a bar to get more details. Select a bar to zoom into that time period (use the time drop-down menu to zoom back out).
    • The Timeline section below the chart shows a list of timeline events. Select a time or suspicion score to see counts for problem categories to help you understand the suspicion score. Select the description link in the right column to see the events in the Security Events tab.
  • On the top right side of the details, there are options Block User and Add to Allow List.
  • Select Block User to manually add the malicious user's IP address to the deny list. Check other malicious user events also and block as necessary.

Note: The Add to Allow List removes the user from the malicious user list.

Using Load Balancer Configuration

Using the load balancer advanced security configuration, you can enable automatic mitigation of malicious users. The platform will apply the corresponding configured mitigation action for the specific threat levels.

Step 1: Start editing load balancer configuration.
  • Switch to the Web App & API Protection service and change to the desired namespace.
  • Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
  • Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.
Step 2: Start configuring malicious user mitigation.
  • Go to the Common Security Controls section.
  • From the Challenge Type drop-down menu, select Policy Based Challenge.
  • The Policy Based Challenge is automatically populated with default values. Select View Configuration under the Policy Based Challenge field shown to see and/or change the values.

PolicyBased
Figure: Policy Based Challenge

  • In the next screen, do one of the following in the Malicious User Mitigation Settings section:

    • The Use Default Parameters is populated by default. This default mitigation action is applied in the following manner:

      • For the activity with low threat level, JavaScript challenge with default configuration will be issued.
      • For the activity with medium threat level, Captcha challenge with default configuration will be issued.
      • For the activity with high threat level, user will be temporarily blocked.

MUMDefault
Figure: Default Malicious User Mitigation

  • To configure custom mitigation settings, select Custom form the Malicious User Mitigation Settings drop-down menu. In the Custom field, either select an existing custom setting, or select Add Item and do the following:

    • Enter a name for this malicious user mitigation object. In the Rules section, select Add item.

    • Select a threat level for the Threat Level field and an associated mitigation action for the Action field. By default, Threat Level Low and Javascript Challenge are populated.

    ThreatAction
    Figure: Threat Level and Action Configuration

    • Select Apply to save the rule.

    • Use the Add item in the Rules section to add more rules.

    MUMRules
    Figure: Custom Malicious User Mitigation Rules

    • When finished adding rules, select Continue to add the malicious user mitigation object to the policy-based challenge configuration.
  • Select Apply to save the policy-based challenge configuration.

  • Scroll down and select Save and Exit to save changes to the load balancer.

    Note: The instructions shown in this document apply default settings for challenges such as JavaScript. For customizing the challenge settings, see the respective guides in advanced security section. For example, see Configure JavaScript Challenge for configuring JavaScript challenge.

Note: By default, the identifier for a malicious user is Client IP address. To change the user identifier, go to the security configuration of load balancer, enable advanced fields, and select User Identification Policy for the User Identifier field, and select an existing identifier object or create new one using the create option in the drop-down list. For instructions, see Configure User Identifier. You can specify cookie name, header name, query parameter, or ASN for user identification.


Monitor Malicious User Activity

Log into Console, select the Web App & API Protection service, and select Apps & APIs > Security. Select your load balancer, and then select the Malicious Users tab to see users classified as malicious, a graph of their historical suspicion score, and a timeline of their activity.

Monitoring activities.

MonMalUsers
Figure: Monitor Malicious Users

  • Select the time period drop-down menu to change the time period for the data shown below. Selecting the Refresh option updates the data to the latest.
  • Select a user in the Malicious Users column to see that user's malicious activity in the Activity and Timeline sections to the right.
  • In the Activity section, select Block user to disallow all requests from this user, which will create a client blocking rule in your load balancer. Alternatively, select Add To Allow List skip malicious users actions for this user, which will create a trusted client rule in your load balancer. You will have the opportunity to expand the rule to include other actions.
  • Select Hide Chart to have more screen area for the Timeline section. Select Show Chart to bring the chart back into view.
  • Hover over a chart column to see the user's suspicion score for that time period. Select the column to zoom into that time period.
  • Slide the thin gray bars to exclude time periods from the timeline below. This may also zoom in the graph.

*In the Timeline section, select a time, suspicion score, or arrow at the right to get details on requests and violations.

  • In the Timeline section, select the underlined activity description to see that user's security events for that time period (on the Security Events tab). There you can see details for each specific event.

Concepts


API References