Bug ID 737998: Brute Force end attack condition isn't satisfied for successful logins only

Last Modified: Dec 20, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7

Fixed In:
12.1.4

Opened: Jul 24, 2018
Severity: 3-Major

Symptoms

When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.

Impact

ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.

Conditions

- ASM provisioned - ASM policy attached to a virtual server - ASM Brute Force protection enabled in the asm policy - There is an ongoing brute force attack on the backend server.

Workaround

While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.

Fix Information

Fix brute force end condition check for a case when only successful logins are sent.

Behavior Change