Follow

F5 Silverline - Upcoming Changes to Silverline WAF Bot Defense

 

Description

F5 Silverline WAF is deprecating support for "During Attacks" mode of Bot Defense within Layer 7 DDoS Profiles.

 

Environment

  • Silverline Portal
  • L7 DDoS Profiles with Bot Defense
  • WAF customers
  • Upgrading Proxies to Next-Gen Infrastructure
  • Customers leveraging 'During Attacks' operating mode for Bot Defense

 

Details 

The "During Attacks" option for L7DDoS-profile configured Bot Defense will be deprecated in Silverline's Next-Gen Proxy Infrastructure.

 

mceclip0.png

 

The final date of support for 'During Attacks" operating mode will be October 30th, 2022.  After this time, when you enable Bot Defense on  L7DDoS-profile the mode will be Always-on.  The Portal option to configure 'During Attacks' will be removed.

 

Customers must transition to the always-on configuration prior to upgrading proxy services for proxies configured with a L7DDoS profile leveraging during-attacks configuration of Bot Defense. 

 

Customer Guidelines:

Customers leveraging the 'During Attacks' mode for Bot Defense are encouraged to evaluate their application for compatibility with a transition to always-on configuration.  We offer the following suggestions to assist you in developing an appropriate plan for the transition:

  1. Self-Service testing: Within a suitable maintenance window, change the Bot Defense configuration on your L7DDoS profile to use 'Always'.  Observe application stability and determine if the new configuration works for your environment.
  2. SOC-assisted testing: Work with the Silverline SOC to switch to always-on configuration and observe traffic patterns.  Make a determination whether the configuration works for your environment.
  3. Use a non-production environment: If you already have a Staging/non-prod/UAT or similar proxy service, switch bot defense to 'Always' on the non-prod L7DDoS profile.  Evaluate as required and proceed with production change if acceptable.
  4. Evaluate the practical utility of the configuration in your environment: How many times in the last year has the application experienced a L7DDoS attack that caused Bot Defense to be invoked?  The SOC is available to assist in finding this out. If the answer is 'rarely' or 'never', the below option #5 maybe suitable for your environment.
  5. Turn off bot defense during peacetime: Some customers leverage an operational playbook that will enable certain protections when malicious activity is high, during mission-critical business periods (eg Nov/Dec for Retail, March/April for tax brokers, etc).  Always-on bot-defense can be a useful tool to enable at selective times.
  6. Limit bot defense to sensitive areas of the application: In many environments, there is no real-world utility in providing challenge-based bot protection to all areas of the application.  Static, cacheable resources are typically accessed by automated clients all the time (web proxies, cache servers, index crawlers etc) and there is little-to-no security value in protecting such resources with anti-bot technology.  More sensitive parts of the application, however, such as login pages, search/price queries, post-auth privileged access and so on, can benefit from bot protection.  Silverline can assist with setting up such a configuration.
  7. Consider F5's other Bot Defense services: Silverline's Anti-Bot offering offers entry-level functionality against automation, however within the F5 Cloud family other more feature-rich options for bot protection:

 

 

Customers will be unable to leverage 'during attacks' mode on the Next-Gen proxy infrastructure, and so much complete this evaluation before Upgrading a proxy.  See https://support.f5silverline.com/hc/en-us/articles/1500003102602-How-to-Upgrade-a-Proxy-to-Next-Gen-Proxy-Infrastructure

 

FAQs:

Q:

Why is Silverline deprecating a feature?

A: 

1. Reduced security value

Layer 7 DDoS and Bots are, while related, inherently different entities presenting different security challenges.  It no longer makes sense to have them directly coupled, as they have been.  A requirement for protection against automation need not be coupled with rate and stress-based L7DDoS thresholds ;to only invoke anti-automation when thresholds are breached is less robust protection. 

Attackers are becoming more sophisticated and aware of defenses they encounter.  A threat actor need only observe responses from a L7DDoS-protected application to roughly determine the thresholds in use, then configure his/her bots at a rate just below the thresholds to evade detection.

 

2. Improved Bot protection

The Bot Defense feature on F5 Silverline provides a simple turnkey solution to protect the application against automated attacks. However, even below a blanket rate threshold, sustained automated attacks can be launched that impact specific application services. 

In order to get a customizable full-featured bot detection and mitigation capabilities customers should consider enabling Silverline Shape Defense.

 

 

Q:

How does the 'always-on' operating mode for Bot Defense function?

A:

In Always-on mode, bot defense will issue a Javascript-based challenge to every inbound request hitting the proxy on which it is configured.  The client must solve the challenge to proceed to access the protected resource.  Once the client solves the challenge an authorization cookie is presented which prevents the client from requiring to solve the challenge on subsequent requests.

The nature of the JS challenge is unchanged from the 'during attacks' configuration.  In 'during attacks' the JS challenges would only be invoked once the system detects an ongoing attack by virtue of the other configured Rate-based or Stress-Based thresholds.  With always-on, every initial request will be challenged irrespective of other L7DDoS conditions. 

 

Q:

Will this impact my application?

A: 

It is impossible to predict how this change will impact application behavior, and as such we encourage customers leveraging 'during attacks' operating mode to evaluate the always-on configuration prior to making production changes.  However, some important notes:

  • The functional nature of the JS challenge is unchanged.  If you have legitimate clients for your applications that are unable to process the challenge, such clients would be impacted by Bot Defense whether set to 'during attacks' or 'always'.
  • Always-on will challenge every initial request, not every single request

 

Q:

How can I mitigate the risk of impact to my application?

A: 

Evaluate always-on protection per the guidelines in the section above. 

 

Q:

What clients are typically impacted by Javascript-challenge based Bot Defense?

A: 

Typically, the following client types do not have the ability to process Javascript, and will be prevented from accessing a protected resource:

  • Mobile app clients
  • API clients
  • Non-Browser clients
  • Headless browsers
  • Indexing bots
  • Web crawlers/scrapers

 

Q:

Always-on bot defense will not work for me, but I require bot protection.  What are my options?

A: 

 

Related Content

How To Upgrade A Proxy To Next-Gen Proxy Infrastructure

Q&A: What Is "Upgrade Available" Label In Proxy Management?

Shape Defense Overview

Q&A: L7DDOS FAQ

How To Configure New L7 DDoS Profiles

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request