Bug ID 438809: Brute Force Login

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3

Fixed In:
12.0.0, 11.6.0 HF4, 11.5.1 HF5, 11.4.0 HF7, 11.2.1 HF11

Opened: Nov 23, 2013
Severity: 3-Major
Related AskF5 Article:
K17098

Symptoms

In this release, you can configure the Brute Force Login protection with more granular detection rates.

Impact

Unable to appropriately configure Brute Force prevention.

Conditions

Low traffic environment that typically sees less than 1 login failure per second but still wishes to trigger Brute Force prevention.

Workaround

None

Fix Information

To improve brute force mitigation, we made the following changes: -We added a new internal parameter: bf_num_sec_per_value. This defines how many seconds is a single measure unit for a failed login. For example, if you want to configure 7 failed logins per 5 seconds, in the Configuration utility configure "7" as the threshold value (the "Failed Login Attempts Rate reached" setting in the Detection Criteria area of the Brute Force Protection Configuration screen), and from the command line configure "5" as the value of this internal parameter. If this value is configured, the system will detect an attack only by the threshold (and not by the increase). If this value is configured, all traffic from suspicious IP addresses are blocked. The default value for the internal parameter is 1 second. -In the Configuration utility, we removed the validation for all the threshold and minimal values. You can put now very low values such as 1 or 2 in the detection and suspicious criteria.

Behavior Change