F5 Customer Demo

ASM – Using Layer 7 DoS Protection to Block

Suspicious Browsers
Document version 13.0.A
Written for: TMOS® Architecture v13.0
Virtual images:
BIGIP_ASM_v13.0
LAMP_6
Windows_7_External_v8

The purpose of this demo is to show how ASM protects web applications from suspicious browsers. You’ll start
by submitting several requests to a web application using incorrect user-agent values. You’ll then create an ASM
DoS profile and enable proactive bot defense. You’ll then attempt the same requests and show how ASM either
blocks the request or presents a CAPTCHA challenge.

NOTE: The F5 vLab (virtual lab environment) is an F5-community supported tool.

Please DO NOT contact F5 Support for assistance with the vLab. For help with the setup of the vLab
or running a demonstration, you should contact your F5 Channel Account Manager (CAM).

F5 Worldwide Field Enablement Last Updated: 3/23/2018

Learn More, Sell More, Sell Faster

Contact Chris Manly (c.manly@f5.com) with any questions or feedback for this demo.
©2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in
certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or
affiliation, express or implied, claimed by F5.

These training materials and documentation are F5 Confidential Information and are subject to the F5 Networks Reseller Agreement. You
may not share these training materials and documentation with any third party without the express written permission of F5.

The F5 vLab (virtual lab environment) is an F5-community supported tool. Please DO NOT contact F5 Support for assistance with the vLab.
For help with the setup of the vLab or running a demonstration, you should contact your F5 Channel Account Manager (CAM).
 Part 1 – Preparing the Demo Environment

Part 1 – Preparing the Demo Environment

• Required virtual images: BIGIP_ASM_v13.0, LAMP_6, Windows_7_External
• Estimated completion time: 10 minutes

Task 1 – Create a Security Policy using Rapid Deployment

Create a security policy for dvwa_virtual using the Rapid Deployment security policy.

 In VMware, start up the BIGIP_ASM_v13.0, LAMP_6, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs clean_install_BIGIP_ASM_v13.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.

If you do not have the BIGIP_ASM_v13.0 image or the clean_install_BIGIP_ASM_v13.0.ucs

archive file, complete the vLab Setup – ASM Demos and Exercises.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.
 In the Configuration Utility, open the Application Security > Security Policies > Policies List page, and
then click Create New Policy.
 Use the following information for the new policy, and then click Create Policy.
Policy Name browsers_security_policy
Policy Template Rapid Deployment Policy
Virtual Server dvwa_virtual

 Once the policy is created, open the Security > Application Security> Policy Building >
Learning and Blocking Settings page.
 From the list on the right-side of the page select Advanced.

 Expand Attack Signatures, and then click Change.

 Clear the Generic Detection Signatures checkbox, then click Change, then click Save, and then
click Apply Policy and OK.
We’re removing the security policy attack signatures so we can focus on ASM’S DoS protection.
 Open the Security > Event Logs > Logging Profiles page and click Create.
 For name enter lorax_log_profile.
 Select the Application Security, Dos Protection, and Bot Defense checkboxes.

WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 3
 Part 1 – Preparing the Demo Environment
 On the Application Security tab, for Request Type select All requests.
 On the DoS Protection tab select the Local Publisher checkbox.
 On the Bot Defense tab select the Local Publisher, Log Illegal Requests, Log Challenged Requests, and
Log Legal Requests checkboxes, and then click Finished.
 Open the Virtual Server List page and click dvwa_virtual, and then open the virtual
server Security > Policies page.
 Select Log all requests and click >>.
 Select lorax_log_profile and click <<, and then click Update.
 Create an archive file named demo_asm_layer7_suspiciousbrowsers_v13.0.

WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 4
 Part 2 – Delivering the Demo to a Customer

Part 2 – Delivering the Demo to a Customer

• Required virtual images: BIGIP_ASM_v13.0, LAMP_6, Windows_7_External
• Required archive file: demo_asm_layer7_suspiciousbrowsers_v13.0.ucs
• Estimated completion time: 15 minutes

BEFORE THE DEMO – Restore the BIG-IP Configuration

Restore the archive file you created in Part 1.

 In VMware, start up the BIGIP_ASM_v13.0, LAMP_6, and Windows_7_External images.

 On the Windows_7_External desktop, use putty to access and log into 10.1.1.245.
 At the CLI type:
tmsh
load sys ucs demo_asm_layer7_suspiciousbrowsers_v13.0.ucs no-license
y

→NOTE: If you use the Configuration Utility to restore the archive file it may damage an updated license.

 On the Windows_7_External desktop, use a web browser to access and log in to https://10.1.1.245.

Demo Task 1 – Use Tools to Manipulate the Web Browser User-Agent

Use attack tools to simulate layer 7 bot DoS attacks.

 In the Configuration Utility, open the Security > Event Logs > Application > Requests page.
 Clear the filter by clicking on the X next to Illegal Requests.

Currently there are no log entries.

 Open a command prompt and copy and paste the following:
curl -A "Fire Explorer" http://10.1.10.35/login.php?[1-40]
cURL is a command line tool for getting or sending files using URL syntax. The cURL result is the HTML
web code for the DVWA login page. The -A switch enables us to identify the user-agent string to the
web server. The [1-40] code runs the curl command 40 times.
 Open an incognito (Chrome) window and click the DVWA bookmark.
 Click the Chrome UA Spoofer button.

WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 5
 Part 2 – Delivering the Demo to a Customer
 Select Safari > Mac Safari 7.

 Click the Chrome UA Spoofer button and select Internet Explorer > Internet Explorer 6.
 Click the Chrome UA Spoofer button and select Android > Android KitKat, and then close the page.
 In the Configuration Utility, on the Application > Requests page select the Auto Refresh icon and
select Refresh.

 Select the most recent /login.php log entry (at the top of the list).
 Click the filter icon for [HTTP]/login.php, and then select Add to filter.

This filters the list of log entries to just the requests for /login.php.
 Select each log entry from the bottom to the top and on the Request tab view the User-Agent value.
The requests appear to have come from several browsers: Fire Explorer, Chrome, Safari, IE 6, and
Android.

Demo Task 2 – Enable Layer 7 DoS Protection to Block Requests from

Suspicious Browsers
Using a BIG-IP ASM DoS protection profile is a powerful feature. This profile enables you to prevent application
layer DoS attacks by enabling Layer 7 application DoS protection for HTTP traffic.

 Navigate to Security > DoS Protection and right-click on DoS Profiles, and then
select Open Link in New Tab.
 In the new tab click Create.
 Name the new profile dvwa_dos_profile and click Finished.
 Click dvwa_dos_profile, and then open the Application Security page.

 On the General Settings page click Disabled and then select the Enabled checkbox.
 Click Proactive Bot Defense, then click Off, then change Operational Mode to Always.
The Block requests from suspicious browsers options are already enabled. This feature enables ASM
to block highly suspicious browsers and present a CAPTCHA challenge to moderately suspicious
browsers.

WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 6
 Part 2 – Delivering the Demo to a Customer
 Click Update.
 Open the Virtual Server List page and click dvwa_virtual, and then open the virtual
server Security > Policies page.
Notice we already have an ASM security policy attached to this virtual server named
dvwa_security_policy.
 From the DoS Protection Profile list select Enabled, then select dvwa_dos_profile, then click Update,
and then close the second tab.
Also notice we have a custom log profile attached to this virtual server named dvwa_log_profile.
 In the command prompt resubmit the following command several times until you receive the JavaScript
challenge:
curl -A "Fire Explorer" http://10.1.10.35/login.php?[1-40]

The command eventually fails because it didn’t pass the JavaScript challenge.
 Open the Security > Event Logs > Bot Defense > Requests page, and then examine the Bot Defense log.

→NOTE: To view the columns on the right side of the page, click your mouse into the log entries
and then use the arrow keys on your keyboard.

These requests were blocked due to a browser challenge. ASM responded to the request with a
JavaScript challenge which the fake browser couldn’t respond to. Proactive Bot Defense stops simple
bots that try to impersonate legitimate browsers with invalid User-Agent headers.
 Open an incognito (Chrome) window, then click the Chrome UA Spoofer button and
select Chrome > Default, then click the DVWA bookmark, and then close the page.
You are presented with the DVWA login page.
 In the Configuration Utility, on the Bot Defense > Requests tab reload the page.

The request was allowed. It passed the browser challenge and therefore wasn’t presented with the
CAPTCHA challenge.

WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 7
 Part 2 – Delivering the Demo to a Customer
 Open an incognito (Chrome) window and click the Chrome UA Spoofer button, then
select Safari > Mac Safari 7, and then click the DVWA bookmark.
You are presented with a CAPTCHA challenge.

ASM compares the user agent string to the actual capabilities of the web browser. If the web
browser tells us it is Chrome on Windows 7 then ASM sends a JavaScript challenge to ensure that the
web browser behaves like Chrome. If the results are too different (score < 60), then it is considered a
highly suspicious browser and blocked completely. If it is similar enough (score >= 59) then it is
considered a moderately suspicious browser and receives the CAPTCHA challenge.
 Enter the CAPTCHA challenge and click submit to view the DVWA login page, and then close the page.
 In the Configuration Utility, on the Bot Defense > Requests tab reload the page and examine the
Request Status, Action, and Reason columns.

The request was allowed. It was identified as a suspicious browser, but then passed the CAPTCHA
challenge.
 Open a new incognito window and click the Chrome UA Spoofer button, then
select Internet Explorer > Internet Explorer 6, and then click the DVWA bookmark.
You receive a The connection was reset error page.
 In the Configuration Utility, on the Bot Defense > Requests tab reload the page and examine the
Request Status, Action, and Reason columns.
The request was blocked due to coming from a suspicious browser. No CAPTCHA challenge was
presented.
 In Chrome click the Chrome UA Spoofer button and select Chrome > Default, and then close Chrome.

That concludes this demo on using BIG-IP ASM’s layer 7 DoS protection to block suspicious browsers.

WWFE vLab Guides – Demo: ASM – Using Layer 7 DoS to Block Suspicious Browsers; v13.0.A Page | 8