Bug ID 641559: Session-based brute force resets failed logins counter upon successful login

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Fixed In:
13.1.0

Opened: Jan 26, 2017
Severity: 3-Major

Symptoms

ASM counts failed login attempts per session (browser cookie) and blocks an end user if the number of failed exceeds a predefined threshold (default 5). If an ASM end user makes a successful login before the number of failed attempts reaches the threshold, the counter of failed attempts resets to zero.

Impact

An ASM end user allowed to do a number of failed logins higher than threshold. This happens only in when that APM end user sent a successful login before number of failures hits the threshold.

Conditions

ASM policy attached on the virtual server and brute force session-based feature is configured along with the login page.

Workaround

None.

Fix Information

Session-based brute force now handles this issue.

Behavior Change