Malicious Users
On This Page:
Objective
This guide provides instructions on how to enable Malicious User Detection and Mitigation for your applications using the security options in the HTTP load balancer. To know more about security and load balancing concepts, see Security and Load Balancer.
Enabling this feature includes enabling detecting malicious activities and associated mitigation steps. The mitigation steps include issuing JavaScript Challenge or Captcha Challenge or temporary blocking of the user. Using the instructions provided in this guide, you can enable malicious user detection and set mitigation steps as per your choice.
Prerequisites
The following prerequisites apply:
-
F5 Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
A HTTP Load Balancer advertising your application.
- Note: For instructions on how to delegate your domain to F5 Distributed Cloud, see HTTP Load Balancer. See the vK8s Deployment guide for deploying your applications on the F5 Distributed Cloud's Network Cloud or Edge Cloud.
Configuration
You can enable detection in one of the following ways:
- Using single load balancer Machine Learning (ML) configuration - In this, the detection is enabled as part of load balancer configuration.
- Using multi load balancer ML configuration - In this, detection is enabled as part of the app type configuration.
You can enable mitigation also in one of the following ways:
- Using the load balancer security monitoring, malicious user IP addresses can be added to allow/deny lists.
- Using the load balancer advanced security configuration, automatic mitigation of malicious users is configured.
Note: When Malicious User Mitigation is enabled and malicious user behavior is tracked, the system tags the users into threat levels
High
,Medium
, andLow
. The system automatically reduces the score when there is no malicious behavior detected for the user for a period of time. This is known as Cooling Off Period. This period indicates how long it takes to reduce fromHigh
threat level toLow
. The system executes a score decay mechanism over a period of time for this to happen. The default Cooling Off Period is 20 minutes. This period can be changed only when the detection method is using multi load balancer configuration. In case of single load balancer, the Cooling Off Period cannot be changed.
The instructions provided in this guide show all the options of enabling malicious user detection and mitigation.
Enable Malicious User Detection
Log into F5® Distributed Cloud Console (Console) and do the following:
Using Single Load Balancer Configuration
In case of single load balancer configuration, the detection is enabled only for that load balancer.
Step 1: Start editing load balancer configuration.
- Click
Web App & API Protection
service on the Home page.
Note: Alternatively, you can search for load balancers in the search located on top of the Home page.
-
Select
Manage
>Load Balancers
>HTTP Load Balancers
. A list of load balancers is presented. -
Click
...
>Manage Configuration
for your load balancer and clickEdit Configuration
on the loaded form.
Step 2: Enable malicious user detection.
-
Go to
Security Configuration
section, enable theShow Advanced Fields
option. -
Go to
ML Config
option and selectSingle Load Balancer Application
to turn on the ML for this load balancer only.
Note: Confirm that the option
Malicious User Detection
is enabled automatically for theMalicious User Detection
field.
Using Multi Load Balancer Configuration
In case of multi load balancer configuration, the detection is based on the ML configuration derived from the app type and app settings objects, The mitigation is applied to all load balancers applied with the app type label.
Step 1: Create app type object.
- Click on the
Select Service
option in the left menu and selectShared Configuration
service. - Navigate to
Security
>AI & ML
>App Types
. ClickAdd app type
. Enter a name for the app type in the metadata section. - Click
Add item
for theAI/ML Feature Type
field in theApplication Type Features
section. - Click on the
Enter ai/ml feature type
drop-down and selectUser Behavior Analysis
. - Click
Save and Exit
.
Step 2: Apply app type label to the load balancer.
- Switch to
Web App & API Protection
service and change to desired namespace. - Select
Manage
>Load Balancers
>HTTP Load Balancers
. A list of load balancers is presented. - Click
...
>Manage Configuration
for your load balancer and clickEdit Configuration
on the loaded form. - Click
Add label
in theLabels
field in metadata section. - Select
ves.io/app_type
as the key and name of the app type you created in previous step as the value. - Click
Save and Exit
.
Step 3: Create app settings object.
- Go to
Manage
>AI & ML
>App Settings
. ClickAdd App setting
. - Enter a name and go to
AppType Settings
section. ClickAdd item
. - Click on the
Select app type
drop-down and select the app type created in Step 1.
Note: You can also click
Configure
for theUser Behavior Analysis Setting
, tune the settings as per your need, and clickApply
. For example, change theCooling Off Period
to a value greater or less than 20 minutes to enforce longer or shorter score (threat level) decay.
- Click
Apply
and then clickSave and Exit
to create the app settings object.
Enable Malicious User Mitigation
Log into Console and do as per one of the following chapters.
Using Load Balancer Security Monitoring
Using load balancer security monitoring, you can add malicious user IP addresses to allow/deny lists. This is manual configuration of mitigation.
Step 1: Go to your load balancer security monitoring view.
- Switch to
Web App & API Protection
service.
Note: Alternatively, you can search for load balancers in the search located on top of the Home page.
-
Click
Apps & APIs
>Security
. -
Click on the load balancer of your choice from the list of load balancer beneath the graph. Dashboard tab is loaded by default.
Step 2: Start configuring malicious user mitigation.
- Switch to the
Malicious Users
tab. - Check the list of malicious user events on the left side.
- Click on an event entry. On the right side of the events list, details such as activity graph, suspicion score, timeline for that event is displayed.
- On the top right side of the details, there are options
Block User
andAdd to Allow List
. - Click
Block User
to manually add the malicious user's IP address to the deny list. Check other malicious user events also and block as per your choice.
Note: The
Add to Allow List
removes the user from malicious user list.
Using Load Balancer Configuration
Using the load balancer advanced security configuration, you can enable automatic mitigation of malicious users. The platform will apply the corresponding configured mitigation action for the specific threat levels.
Step 1: Start editing load balancer configuration.
- Switch to
Web App & API Protection
service and change to desired namespace. - Select
Manage
>Load Balancers
>HTTP Load Balancers
. A list of load balancers is presented. - Click
...
>Manage Configuration
for your load balancer and clickEdit Configuration
on the loaded form.
Step 2: Start configuring malicious user mitigation.
Go to Security Configuration
section, enable the Show Advanced Fields
option. Do the following:
- From the
Select Type of Challenge
drop-down menu, selectPolicy Based Challenge
. - Click
Configure
under thePolicy Based Challenge
field shown.
-
In the next screen, do one of the following in the
Malicious User Mitigation Settings
section:-
The
Use Default Parameters
is populated by default. This default mitigation action is applied in the following manner:- For the activity with low threat level, JavaScript challenge with default configuration will be issued.
- For the activity with medium threat level, Captcha challenge with default configuration will be issued.
- For the activity with high threat level, user will be temporarily blocked.
-
-
To configure custom mitigation settings, select
Malicious User Mitigation
and click on the displayed drop-down. Select an existing object. Alternatively, clickCreate new malicious user mitigation
option and do the following:-
Enter a name for the MUM object. Go to
Malicious User Mitigation Rules
and clickAdd item
. -
Select a threat level for the
Threat Level
field and an associated mitigation action for theAction
field. By default,Threat Level Low
andJavascript Challenge
are populated.
Figure: Threat Level and Action Configuration - Click
Add item
. Use theAdd item
in theMalicious User Mitigation Rules
to add more rules.
Figure: Custom Malicious User Mitigation Rules - Click
Continue
to add the MUM object to the policy-based challenge configuration.
-
-
Scroll down and click
Save and Exit
to save changes to the load balancer.Note: The instructions shown in this document apply default settings for challenges such as JavaScript. For customizing the challenge settings, see the respective guides in advanced security section. For example, see Configure JavaScript Challenge for configuring JavaScript challenge.
Note: By default, the identifier for a malicious user is Client IP address. To change the user identifier, go to the security configuration of load balancer, enable advanced fields, and select
User Identification Policy
for theUser Identifier
field, and select an existing identifier object or create new one using the create option in the drop-down list. For instructions, see Configure User Identifier. You can specify cookie name, header name, query parameter, or ASN for user identification.