F5 Distributed Cloud > F5 Distributed Cloud - Advanced Bot Security Source | Edit on
Lab 1: Deploying Load Balancer, Configuring F5 Distributed Cloud BotDefense¶
Lab 1 will focus on the deployment and security of an existing hosted application using F5 Distributed Cloud Platform and Services. This lab will be deployed in a SaaS only configuration with no on-premises (public or private cloud) elements. All configurations will be made via the F5 Distributed Cloud Console and within the F5 Distributed Cloud Global Network services architecture.
The overall goal of this set of labs is to showcase how easy it is for F5 Distributed Cloud BotDefense to be enabled. This lab will also act as a quick refresher of how web-based login forms work and how easily they can be exploited by credential stuffing attacks. Once this initial lab is complete, we will expand on the concepts of attacks and security by utilizing the automation toolkit known as OpenBullet.
For the tasks that follow, you should have already noted your individual namespace. If you failed to note it, return to the Introduction section of this lab, follow the instructions provided and note your namespace accordingly. The Delegated Domain and the F5 Distributed Cloud Tenant are listed below for your convenience as they will be the same for all lab attendees.
Delegated Domain: .lab-sec.f5demos.com
F5 Distributed Cloud Tenant: https://f5-xc-lab-sec.console.ves.volterra.io
Following the tasks in the prior Introduction Section, you should now be able to access the F5 Distributed Cloud Console, having set your Work Domain Roles and Skill levels. If you have not done so already, please login to your tenant for this lab and proceed to Task 1.
Task 1: Configure Load Balancer, Origin Pool, WAF and BotDefense¶
|
|
|
|
|
|
|
|
Note The “shared/base-appfw” policy is in the “shared namespace” which can be applied to multiple Load Balancer configurations across namespaces, reducing policy sprawl. |
|
|
|
|
|
|
|
Note
The above selection controls how/where the application is advertised. The “Internet”
setting means that this application will be advertised globally using the F5 Distributed
Cloud Global Network utilizing Anycast.
|
Task 2: Curl - Direct¶
Run this lab from the JUMPHOST
Launch the Chrome Browser and navigate to https://airline-backend.f5se.com/user/vipsignin
Once loaded right click on the page and choose Inspect then navigate to the Network tab on the new right hand side window. This will allow you to monitor what content is loaded and submitted during interactions with the site.
On the login prompt enter the following testing username: john.smith@nobody.com password: test123 and then click Confirm
This should log you into the account but more important look on the right side panel finding the vipsignin POST request. Clicking on this entry and you will see the POST request that was created for your login.
Switch to the payload tab and we can see the exact data that was submitted. The Username and Password are expected but we also see a tracking token (though not used here)
Right click on the vipsignin entry choose Copy and Copy as cURL (BASH) open Notepad from the windows start menu and paste the contents in. This will allow you to inspect the query in greater detail.
Click the Ubuntu icon on the desktop to open a bash prompt. Once open you can paste the same curl data into the bash prompt to execute the query. This example shows just how easy it is as a basic level it is to execute credential stuffing style attacks.
Using any scripting language (python, perl, bash) it becomes trivial to be able to test large amounts of username and password combinations.
Task 3: Compare Via Bot Defense¶
Run this lab from the JUMPHOST
Launch the Chrome Browser and navigate to http://namespace.lab-sec.f5demos.com/user/vipsignin (note: HTTP not HTTPS)
Once loaded right click on the page and choose Inspect then navigate to the Network tab on the new right hand side window. This will allow you to monitor what content is loaded and submitted during interactions with the site.
On the login prompt enter the following testing username: john.smith@nobody.com password: test123 and then click Confirm
This should log you into the account but more important look on the right side panel finding the vipsignin POST request. Clicking on this entry and you will see the POST request that was created for your login.
Switch to the payload tab and we can see the exact data that was submitted.
We can see several additional payload entries. The hardened Javascript silently interrogates the browser and watches as users interact with the page capturing telemetry which is encrypted and sent along with the POST.
End of Lab 1: This concludes Lab 1, feel free to review and test the configuration.