Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The purpose of this demo is to show how ASM protects web applications from suspicious browsers. You’ll start
by submitting several requests to a web application using incorrect user-agent values. You’ll then create an ASM
DoS profile and enable proactive bot defense. You’ll then attempt the same requests and show how ASM either
blocks the request or presents a CAPTCHA challenge.
Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.
These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.
The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
Part 1 – Preparing the Demo Environment
→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
In the Configuration Utility, open the Application Security > Security Policies > Policies List page, and
then click Create New Policy.
Use the following information for the new policy, and then click Create Policy.
Policy Name browsers_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual
Once the policy is created, open the Security > Application Security> Policy Building >
Learning and Blocking Settings page.
From the list on the right-side of the page select Advanced.
WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 3
Part 1 – Preparing the Demo Environment
On the Application Security tab, for Request Type select All requests.
On the DoS Protection tab select the Local Publisher checkbox.
On the Bot Defense tab select the Local Publisher, Log Illegal Requests, Log Challenged Requests, and
Log Legal Requests checkboxes, and then click Finished.
Open the Virtual Server List page and click dvwa_virtual, and then open the virtual
server Security > Policies page.
Select Log all requests and click >>.
Select lorax_log_profile and click <<, and then click Update.
Create an archive file named demo_asm_layer7_suspiciousbrowsers_v13.0.
WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 4
Part 2 – Delivering the Demo to a Customer
→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.
On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
Clear the filter by clicking on the X next to Illegal Requests.
WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 5
Part 2 – Delivering the Demo to a Customer
Select Safari > Mac Safari 7.
Click the Chrome UA Spoofer button and select Internet Explorer > Internet Explorer 6.
Click the Chrome UA Spoofer button and select Android > Android KitKat, and then close the page.
In the Configuration Utility, on the Application > Requests page select the Auto Refresh icon and
select Refresh.
Select the most recent /login.php log entry (at the top of the list).
Click the filter icon for [HTTP]/login.php, and then select Add to filter.
This filters the list of log entries to just the requests for /login.php.
Select each log entry from the bottom to the top and on the Request tab view the User-Agent value.
The requests appear to have come from several browsers: Fire Explorer, Chrome, Safari, IE 6, and
Android.
Navigate to Security > DoS Protection and right-click on DoS Profiles, and then
select Open Link in New Tab.
In the new tab click Create.
Name the new profile dvwa_dos_profile and click Finished.
Click dvwa_dos_profile, and then open the Application Security page.
On the General Settings page click Disabled and then select the Enabled checkbox.
Click Proactive Bot Defense, then click Off, then change Operational Mode to Always.
The Block requests from suspicious browsers options are already enabled. This feature enables ASM
to block highly suspicious browsers and present a CAPTCHA challenge to moderately suspicious
browsers.
WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 6
Part 2 – Delivering the Demo to a Customer
Click Update.
Open the Virtual Server List page and click dvwa_virtual, and then open the virtual
server Security > Policies page.
Notice we already have an ASM security policy attached to this virtual server named
dvwa_security_policy.
From the DoS Protection Profile list select Enabled, then select dvwa_dos_profile, then click Update,
and then close the second tab.
Also notice we have a custom log profile attached to this virtual server named dvwa_log_profile.
In the command prompt resubmit the following command several times until you receive the JavaScript
challenge:
curl -A "Fire Explorer" http://10.1.10.35/login.php?[1-40]
The command eventually fails because it didn’t pass the JavaScript challenge.
Open the Security > Event Logs > Bot Defense > Requests page, and then examine the Bot Defense log.
→NOTE: To view the columns on the right side of the page, click your mouse into the log entries
and then use the arrow keys on your keyboard.
These requests were blocked due to a browser challenge. ASM responded to the request with a
JavaScript challenge which the fake browser couldn’t respond to. Proactive Bot Defense stops simple
bots that try to impersonate legitimate browsers with invalid User-Agent headers.
Open an incognito (Chrome) window, then click the Chrome UA Spoofer button and
select Chrome > Default, then click the DVWA bookmark, and then close the page.
You are presented with the DVWA login page.
In the Configuration Utility, on the Bot Defense > Requests tab reload the page.
The request was allowed. It passed the browser challenge and therefore wasn’t presented with the
CAPTCHA challenge.
WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 7
Part 2 – Delivering the Demo to a Customer
Open an incognito (Chrome) window and click the Chrome UA Spoofer button, then
select Safari > Mac Safari 7, and then click the DVWA bookmark.
You are presented with a CAPTCHA challenge.
ASM compares the user agent string to the actual capabilities of the web browser. If the web
browser tells us it is Chrome on Windows 7 then ASM sends a JavaScript challenge to ensure that the
web browser behaves like Chrome. If the results are too different (score < 60), then it is considered a
highly suspicious browser and blocked completely. If it is similar enough (score >= 59) then it is
considered a moderately suspicious browser and receives the CAPTCHA challenge.
Enter the CAPTCHA challenge and click submit to view the DVWA login page, and then close the page.
In the Configuration Utility, on the Bot Defense > Requests tab reload the page and examine the
Request Status, Action, and Reason columns.
The request was allowed. It was identified as a suspicious browser, but then passed the CAPTCHA
challenge.
Open a new incognito window and click the Chrome UA Spoofer button, then
select Internet Explorer > Internet Explorer 6, and then click the DVWA bookmark.
You receive a The connection was reset error page.
In the Configuration Utility, on the Bot Defense > Requests tab reload the page and examine the
Request Status, Action, and Reason columns.
The request was blocked due to coming from a suspicious browser. No CAPTCHA challenge was
presented.
In Chrome click the Chrome UA Spoofer button and select Chrome > Default, and then close Chrome.
That concludes this demo on using BIG-IP ASM’s layer 7 DoS protection to block suspicious browsers.
WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 8