Configuration of brute force protection¶
There are the following classes of brute‑force attacks:
Session identifiers brute‑forcing
Forced browsing (dirbust)
Behavioral attacks are characterized by a large number of requests with different forced parameter values sent to a typical URL for a limited timeframe.
Restrictions in types of resources protected against brute force
Wallarm WAF analyzes only HTTP traffic for brute‑force attacks.
These instructions provide steps to configure brute force protection.
If the WAF node is deployed behind a proxy server or load balancer, then configure displaying of a real IP address of the client.
Configure the trigger Mark as brute force/dirbust.
Test the configuration of brute force protection.
Configuring the trigger to identify brute force¶
Open the Wallarm Console → section Triggers and open the window for trigger creation.
Select the condition Number of requests and set the request number threshold or leave the default threshold value.
- If the threshold is exceeded, then the requests will be marked as brute‑force attack.
- If the threshold is exceeded and the code 404 is returned in the response to all requests, then the requests will be marked as dirbust (forced browsing) attack.
Set the URL to filter all incoming requests by this URL and activate the trigger:
- If you configure password brute‑forcing protection, then set the URL used for authentication.
- If you configure dirbust protection, then set the URL of resource file directory.
URL can be set in one of the following ways:
- Via the rule defining attack counter for any port listening for incoming requests. The created counter should be selected in the trigger filter Counter name.
- Via the URL trigger filter if the protected resource listens for incoming requests on port other than 80 or 443. The value should correspond to the format
If required, set other trigger filters:
- Application the requests are addressed to.
- One or more IP the requests are sent from.
Select trigger reactions:
- Mark as brute force/dirbust to mark requests sent after the threshold was exceeded as the brute‑force or dirbust attack. Requests will be marked as an attack but will not be blocked. To block requests, it is required to select one more reaction Blacklist IP address.
- Blacklist IP address and the period for IP address blocking to add IP addresses from which malicious requests were originated to the blacklist. All requests sent after the threshold was exceeded will be blocked by the WAF node.
Example of a configured rule defining attack counter and trigger:
Description of the provided example and other trigger examples used for brute force protection is available within this link.
You can configure several triggers for brute force protection.
Testing the configuration of brute force protection¶
Send the number of requests that exceeds the configured threshold to the protected URL. For example, 50 requests to
for (( i=0 ; $i<51 ; i++ )) ; do curl https://example.com/api/frontend/login ; done
Open the Wallarm Console → section Blacklist and check that IP address from which the requests were originated is blocked for the period configured in the trigger.
Open the section Events and check that requests are displayed in the list as the brute‑force or dirbust attack.
The number of displayed requests corresponds to the number of requests sent after the trigger threshold was exceeded (more details on detecting behavioral attacks). If this number is higher than 5, request sampling is applied and request details are displayed only for the first 5 requests (more details on requests sampling).
To search for attacks, you can use the filters, for example:
dirbustfor dirbust attacks,
brutefor brute‑force attacks. All filters are described in the instructions on search using.