Malicious Users

• Select Web App & API Protection service on the Home page.

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.

• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.

• Go to the Common Security Controls section.

• Select Enable in the Malicious User Detection field.

• Select Save and Exit.

• Select the Shared Configuration service.
• Navigate to Security > AI & ML > App Types. Select Add App Type. Enter a name for the app type in the metadata section.
• Select Add Item for the AI/ML Feature Type field in the Application Type Features section.
• Use the AI/ML Feature Type drop-down and select Malicious User Detection.
• Select Save and Exit.

• Switch to the Web App & API Protection service and change to the desired namespace.
• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.
• Select Add label in the Labels field in the Metadata section.
• Select ves.io/app_type as the key and name of the app type you created in previous step as the value.
• Select Save and Exit.

• Using the Web App & API Protection service, go to Manage > AI & ML > App Settings and Select Add App setting.
• Enter a name and go to AppType Settings section. Select Add item.
• Select the Select app type drop-down and select the app type created in Step 1.
• In the Malicious User Detection section, select Configure to see the Malicious User Detection form. This form is pre-populated with the defaults; Tune these settings per your needs.

This form shows the different problem categories used to identify a malicious user, sometimes including thresholds or sensitivity settings. By default, all methods of detecting malicious users are enabled. Based on a user's activities with respect to these problem categories, their threat level rises. Adjusting these parameters affects how much of an activity is required to raise their threat level. If the user stops activities in the problem categories for a period of time, their threat level is reduced. You can adjust that period of time by changing the Cooling Off Period at the bottom of the form.

• Include Namespace In Learning: The Distributed Cloud AI engine learns user behavior from traffic generated from all namespaces where virtual hosts and vK8s services are labelled with a valid apptype. Select Disable learning from this namespace to remove this capability for this namespace only.

• Enable Malicious User Detection: This field enables or disables malicious user detection. If you disable the feature, no traffic will be flagged as coming from a malicious user. The various methods for malicious user detection are shown below. You can adjust how malicious user detection works using the following fields:

  • Forbidden Activity Choice: A forbidden activity is any request that is denied through the service policy. This could be IP threat categories; forbidden domains and/or clients; HTTP methods, paths, query parameters, header; or more advanced matches. See Service Policy for more details. A user that exceeds the Forbidden Requests Threshold will be classified as malicious.

  • Failed Login Activity Choice: This feature keeps track of the number of login attempts that failed (specifically 401 Unauthorized response codes). When the number of login failures from a user exceeds the limit entered in the Login Failures threshold, the user will be classified as malicious. A successful login will not reset the login failure count. Only the cooling off period (discussed below) will reset the malicious user status.

  • WAF Activity Choice: WAF activity looks for known attack types and signatures, threat campaigns, malformed requests, and more. See Application Firewall for more details.

  • IP Reputation Choice: This uses a database of IP addresses with questionable reputations. IP addresses earn their reputations by performing exploits or attacks, or these addresses might represent proxy servers, scanners, or systems that have been infected. The database contains IP addresses that—

    • Are considered malicious Botnets,
    • Have launched Denial of Service (DoS) attacks,
    • Host illegal material or activity,
    • Are associated with phishing web sites or web proxies,
    • And other malicious activities.

  • Non-existent URL Activity Choice: This feature keeps track of the number of requests for an invalid path (specifically 404 Not Found response codes) and compares that number to the total throughput for the app to get a ratio of bad to good URL requests. This ratio is compared to an automatically calculated threshold (based on statistics for your application). The user is considered malicious when the current ratio exceeds the threshold. You can adjust this calculation in two ways:

    1. Select Include Non-Existent URL Activity using automatic threshold. The non-existent URL ratio threshold is automatically calculated based on statistics for your application. By default, the automatic threshold calculation is set to Medium sensitivity. You can adjust the sensitivity to Low sensitivity (meaning a higher ratio, or more invalid path requests, is required to classify a user as malicious) or High sensitivity (meaning a lower ratio will classify a user as malicious).
    2. Select Include Non-Existent URL Activity using custom threshold. Then, simply enter your desired ratio expressed as a percentage. For instance, if you enter 25, then the user will exceed the threshold if more than 25% of that user's requests are to a non-existing URL.

  • Cooling Off Period Setting: The Cooling off period (minutes) field specifies the number of minutes required to pass with no malicious activity in order to reduce a user's threat assessment. As each cooling off time period passes, a user's threat level will drop from high to medium, medium to low, and finally low to none. The cooling off period setting is used for all malicious user detection categories.

• Select Apply and to save the settings on the Malicious User Detection settings.
• Select Save and Exit to create the app settings object.

• Switch to Web App & API Protection service.

• Select Threat Insights > Malicious Users in the Overview section on the left menu. This opens a map view showing geographically located malicious users displayed as node groups.

• Click on the node to display all malicious users in a group represented as collection individual nodes. Place mouse pointer on any individual node to view the user's IP address, threat-level, and risk score.

• Click on any malicious user node and details for that user are displayed in a modeless window.

• Select Block User or Add to Allow List to add user to deny list or allow list respectively. This opens the associated load balancer's client blocking rule section or trusted client rules section with name and IP address populated. In case of trusted client rule, the Skip Malicious Users action is populated. Click Apply to complete enabling the rule on the load balancer.

• Switch to Web App & API Protection service.

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

• Select Dashboards > Security Dashboard.

• Select the load balancer of your choice from the list of load balancer beneath the graph. The dashboard tab is loaded by default.

• Switch to the Malicious Users tab.
• Select a user (IP address) from the list of malicious users on the left side. This will display activity from this user on the right side of the Malicious Users list:
  • The Risk Score chart shows a bar graph of activity time periods and their associated risk scores (the height of bar). Hover over a bar to get more details. Select a bar to zoom into that time period (use the time drop-down menu to zoom back out).
  • The Timeline section below the chart shows a list of timeline events. Select a time or risk score to see counts for problem categories to help you understand the risk score. Select the description link in the right column to see the events in the Security Events tab.
• On the top right side of the details, there are options Block User and Add to Allow List.
• Select Block User to manually add the malicious user's IP address to the deny list. Check other malicious user events also and block as necessary.

Note: The Add to Allow List removes the user from the malicious user list.

• Switch to the Web App & API Protection service and change to the desired namespace.
• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.

• Go to the Common Security Controls section.
• Select Enable for the Malicious User Mitigation And Challenges drop-down.
• Select one of the options from the Malicious User Mitigation Settings drop-down as per the following guidelines:

  • The Default option is selected by default. This default mitigation action is applied in the following manner:

    • For the activity with low threat level, JavaScript challenge with default configuration will be issued.
    • For the activity with medium threat level, Captcha challenge with default configuration will be issued.
    • For the activity with high threat level, user will be temporarily blocked.

• Select Custom and select a malicious user mitigation object from the Custom drop-down. You can also use the Add Item option to create a new object and in case creating new object, do the following:

  • Enter a name for this malicious user mitigation object. In the Rules section, select Add item.
  • Select a threat level for the Threat Level field and an associated mitigation action for the Action field. By default, Threat Level Low and Javascript Challenge are populated.

  

  • Select Apply to save the rule.

  • Use the Add item in the Rules section to add more rules.

  

  • When finished adding rules, select Continue to add the malicious user mitigation object to the malicious user mitigation configuration.

• Scroll down and select Save and Exit to save changes to the load balancer.

  Note: The instructions shown in this document apply default settings for challenges such as JavaScript. Enable Show Advanced Fields option to view more options such as policy-based challenges to customize the configuration.

Go to Threat Insights > Malicious Users in the Overview section. This provides a view of malicious users for the entire namespace. You can zoom in on a particular malicious user and navigate to individual load balancer malicious users page from there.

Note: The malicious users in a geographical location are shown as collection of nodes with threat-level indicated in different colors. You can check the legend filter to find severity versus color mapping.

• The data shown is by default for all HTTP load balancers in the namespace. You can use the Attacked Load Balancers filter on the top of the page to limit the view to a specific set of load balancers. Similarly, you can use the time filter to display the insights for a specific time interval.

• Place the mouse pointer over a node group to view details of malicious users for that location. Number of malicious users and corresponding threat-levels are displayed.

• Click on a node group to display all malicious users in a group represented as collection individual nodes. Place mouse pointer on any individual node to view the user's identifier, threat-level, and risk score.

Note: The user identifier is based on the configured user identification such as IP address, Cookie, etc.

• Click on any malicious user node and details for that user are displayed in a modeless window. The details include user identifier, attacked load balancers, and user attributes such as source IP, country, region, etc.

• Click on any of the attacked load balancers in the details window. This will switch to the Malicious Users tab of that load balancer's security monitoring page with the view filtered display the data for that particular user.

Log into Console, select the Web App & API Protection service, and select Apps & APIs > Security. Select your load balancer, and then select the Malicious Users tab to see users classified as malicious, a graph of their historical risk score, and a timeline of their activity.

Use various controls in the monitoring view as per the following guidelines to obtain specific filtered information:

• Select the time period drop-down menu to change the time period for the data shown below. Selecting the Refresh option updates the data to the latest.
• Select a user in the Malicious Users column to see that user's malicious activity in the Activity and Timeline sections to the right.
• In the Activity section, select Block user to disallow all requests from this user, which will create a client blocking rule in your load balancer. Alternatively, select Add To Allow List skip malicious users actions for this user, which will create a trusted client rule in your load balancer. You will have the opportunity to expand the rule to include other actions.
• Select Hide Chart to have more screen area for the Timeline section. Select Show Chart to bring the chart back into view.
• Hover over a chart column to see the user's risk score for that time period. Select the column to zoom into that time period.
• Slide the thin gray bars to exclude time periods from the timeline below. This may also zoom in the graph. *In the Timeline section, select a time, risk score, or arrow at the right to get details on requests and violations.
• In the Timeline section, select the underlined activity description to see that user's security events for that time period (on the Security Events tab). There you can see details for each specific event.