Malicious Users

Objective

This guide provides instructions on how to enable Malicious User Detection and Mitigation for your applications using the security options in the HTTP load balancer. To know more about security and load balancing concepts, see Security and Load Balancer.

Enabling this feature includes enabling detecting malicious activities and associated mitigation steps. The mitigation steps include issuing JavaScript Challenge or Captcha Challenge or temporary blocking of the user. Using the instructions provided in this guide, you can enable malicious user detection and set mitigation steps as per your choice.


Prerequisites

The following prerequisites apply:

  • Note: For instructions on how to delegate your domain to F5 Distributed Cloud, see HTTP Load Balancer. See the vK8s Deployment guide for deploying your applications on the F5 Distributed Cloud's Network Cloud or Edge Cloud.

Configuration

You can enable detection in one of the following ways:

  • Using single load balancer Machine Learning (ML) configuration - In this, the detection is enabled as part of load balancer configuration.
  • Using multi load balancer ML configuration - In this, detection is enabled as part of the app type configuration.

You can enable mitigation also in one of the following ways:

  • Using the load balancer security monitoring, malicious user IP addresses can be added to allow/deny lists.
  • Using the load balancer advanced security configuration, automatic mitigation of malicious users is configured.

Note: When Malicious User Mitigation is enabled and malicious user behavior is tracked, the system tags the users into threat levels High, Medium, and Low. The system automatically reduces the score when there is no malicious behavior detected for the user for a period of time. This is known as Cooling Off Period. This period indicates how long it takes to reduce from High threat level to Low. The system executes a score decay mechanism over a period of time for this to happen. The default Cooling Off Period is 20 minutes. This period can be changed only when the detection method is using multi load balancer configuration. In case of single load balancer, the Cooling Off Period cannot be changed.

The instructions provided in this guide show all the options of enabling malicious user detection and mitigation.


Enable Malicious User Detection

Log into F5® Distributed Cloud Console (Console) and do the following:

Using Single Load Balancer Configuration

In case of single load balancer configuration, the detection is enabled only for that load balancer.

Step 1: Start editing load balancer configuration.
  • Click Web App & API Protection service on the Home page.

Home Page
Figure: Home Page

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

  • Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.

  • Click ... > Manage Configuration for your load balancer and click Edit Configuration on the loaded form.

Step 2: Enable malicious user detection.
  • Go to Security Configuration section, enable the Show Advanced Fields option.

  • Go to ML Config option and select Single Load Balancer Application to turn on the ML for this load balancer only.

Note: Confirm that the option Malicious User Detection is enabled automatically for the Malicious User Detection field.


Using Multi Load Balancer Configuration

In case of multi load balancer configuration, the detection is based on the ML configuration derived from the app type and app settings objects, The mitigation is applied to all load balancers applied with the app type label.

Step 1: Create app type object.
  • Click on the Select Service option in the left menu and select Shared Configuration service.
  • Navigate to Security > AI & ML > App Types. Click Add app type. Enter a name for the app type in the metadata section.
  • Click Add item for the AI/ML Feature Type field in the Application Type Features section.
  • Click on the Enter ai/ml feature type drop-down and select User Behavior Analysis.
  • Click Save and Exit.
Step 2: Apply app type label to the load balancer.
  • Switch to Web App & API Protection service and change to desired namespace.
  • Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
  • Click ... > Manage Configuration for your load balancer and click Edit Configuration on the loaded form.
  • Click Add label in the Labels field in metadata section.
  • Select ves.io/app_type as the key and name of the app type you created in previous step as the value.
  • Click Save and Exit.
Step 3: Create app settings object.
  • Go to Manage > AI & ML > App Settings. Click Add App setting.
  • Enter a name and go to AppType Settings section. Click Add item.
  • Click on the Select app type drop-down and select the app type created in Step 1.

Note: You can also click Configure for the User Behavior Analysis Setting, tune the settings as per your need, and click Apply. For example, change the Cooling Off Period to a value greater or less than 20 minutes to enforce longer or shorter score (threat level) decay.

  • Click Apply and then click Save and Exit to create the app settings object.

Enable Malicious User Mitigation

Log into Console and do as per one of the following chapters.

Using Load Balancer Security Monitoring

Using load balancer security monitoring, you can add malicious user IP addresses to allow/deny lists. This is manual configuration of mitigation.

Step 1: Go to your load balancer security monitoring view.
  • Switch to Web App & API Protection service.

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

  • Click Apps & APIs > Security.

  • Click on the load balancer of your choice from the list of load balancer beneath the graph. Dashboard tab is loaded by default.

Step 2: Start configuring malicious user mitigation.
  • Switch to the Malicious Users tab.
  • Check the list of malicious user events on the left side.
  • Click on an event entry. On the right side of the events list, details such as activity graph, suspicion score, timeline for that event is displayed.
  • On the top right side of the details, there are options Block User and Add to Allow List.
  • Click Block User to manually add the malicious user's IP address to the deny list. Check other malicious user events also and block as per your choice.

Note: The Add to Allow List removes the user from malicious user list.

Using Load Balancer Configuration

Using the load balancer advanced security configuration, you can enable automatic mitigation of malicious users. The platform will apply the corresponding configured mitigation action for the specific threat levels.

Step 1: Start editing load balancer configuration.
  • Switch to Web App & API Protection service and change to desired namespace.
  • Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
  • Click ... > Manage Configuration for your load balancer and click Edit Configuration on the loaded form.
Step 2: Start configuring malicious user mitigation.

Go to Security Configuration section, enable the Show Advanced Fields option. Do the following:

  • From the Select Type of Challenge drop-down menu, select Policy Based Challenge.
  • Click Configure under the Policy Based Challenge field shown.

PolicyBased
Figure: Policy Based Challenge

  • In the next screen, do one of the following in the Malicious User Mitigation Settings section:

    • The Use Default Parameters is populated by default. This default mitigation action is applied in the following manner:

      • For the activity with low threat level, JavaScript challenge with default configuration will be issued.
      • For the activity with medium threat level, Captcha challenge with default configuration will be issued.
      • For the activity with high threat level, user will be temporarily blocked.

MUMDefault
Figure: Default Malicious User Mitigation

  • To configure custom mitigation settings, select Malicious User Mitigation and click on the displayed drop-down. Select an existing object. Alternatively, click Create new malicious user mitigation option and do the following:

    • Enter a name for the MUM object. Go to Malicious User Mitigation Rules and click Add item.

    • Select a threat level for the Threat Level field and an associated mitigation action for the Action field. By default, Threat Level Low and Javascript Challenge are populated.

    ThreatAction
    Figure: Threat Level and Action Configuration

    • Click Add item. Use the Add item in the Malicious User Mitigation Rules to add more rules.

    MUMRules
    Figure: Custom Malicious User Mitigation Rules

    • Click Continue to add the MUM object to the policy-based challenge configuration.
  • Scroll down and click Save and Exit to save changes to the load balancer.

    Note: The instructions shown in this document apply default settings for challenges such as JavaScript. For customizing the challenge settings, see the respective guides in advanced security section. For example, see Configure JavaScript Challenge for configuring JavaScript challenge.

Note: By default, the identifier for a malicious user is Client IP address. To change the user identifier, go to the security configuration of load balancer, enable advanced fields, and select User Identification Policy for the User Identifier field, and select an existing identifier object or create new one using the create option in the drop-down list. For instructions, see Configure User Identifier. You can specify cookie name, header name, query parameter, or ASN for user identification.


Concepts


API References