3. BotDefense

F5 Distributed Cloud Bot-Defense protect against a broad set of bot-based attacks including credential stuffing, account takeover, fraud, and account abuse. This guided lab will step through the concepts found in the How to guide. For additional review see the Simulator.

Signature-based Bot protection

Review the Bot signature configuration and view logged security events.

1. In the left-hand navigation menu, expand the Security section, click App Firewall. Towards the right side of the blocking-app-firewall, click the three dots in the Actions column, click Manage Configuration,

   

2. Click Edit Configuration in the top right corner.

   

3. On the left-side navigation, click Detection Settings and the in the Detection Settings section, select Signature-Based Bot Protection from the dropdown menu, and select Custom.

   

4. In the expanded configuration window, observe the three Bot signature categories; Malicious, Suspicious, and Good. Also observe the actions Block, Ignore, and Report which can be reviewed by selecting one of the dropdowns.

   

5. Click Cancel and Exit to leave this window.

   

6. Open a terminal window or DOS prompt on your respective client and issue the following command: curl -v http://<namespace>lab-sec.f5demos.com. Observe the User Agent and response content.

   

7. Return to the F5 Distributed Cloud Console, in the left-hand navigation menu, expand the Virtual Hosts section, click HTTP Load Balancers, select the http-load-balancer object, and select the Security Monitoring.

   

8. Select Security Monitoring, and click Security Events.

   

9. Locate the security event, which was triggered by the curl request, expand the security event, and observe the “Suspicious” Bot reporting. The setting for Suspicious Bot was set to Report.

   

AI-Driven BotDefense

1. Open another tab in a browser (Chrome shown), navigate to the application/Load Balancer configuration: http://<namespace>.lab-sec.f5demos.com

   

2. Enable developer tools (Chrome shown (use F12)) and click on the Network tab, click the 3 bars/menu icon (top right browser), navigate to Access link. Login to the website using the following credentials.

   • Identity: user@f5.com

   • Token: password

   

3. In the Developer window, locate the POST request that was made to the auth.php page. You may use the filter to find auth.php.

   

4. Select the Request tab in the payload window that appears and observe only a limited form POST data (identity, token, & submit).

   

5. Navigate to: Manage > Load Balancer > HTTP Load Balancers, click the Action Dots and click Manage Configuration

   

6. Click Edit Configuration in the top right-hand corner.

   

7. Click Security Configuration in the left-hand navigation, on the Bot Defense Config dropdown.

   

8. Select Specify Bot Defense Configuration

   

9. In the flyout click Configure

   

10. Locate the additional positioning options in the JavaScript Insertion section., click Configure in the Protected Endpoints Section

    

11. In the new App Endpoint Type click

    

12. In the Application Endpoint section supply the following values:

    • Metadata\Name: auth-bot

    • HTTP Methods: POST

    • Protocol: BOTH

    • Path\Path Match: Prefix

    • Prefix: /auth.php

    • Bot Traffic MitigationSelect Bot Mitigation Action: Block

    

13. Scroll to the bottom and click

    

14. Click on the App Endpoint Type screen

    

15. Click on Protected App Endpoints

    

16. Scroll to the bottom on the HTTP Load Balancer screen, and click

    

17. Observe now that there is additional telemetry being passed in the POST request. This telemetry will be used to determine if the connecting client is an Automated Bot.