This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nfrontin
Explorer
‎2024-04-08 07:04 AM

Brute Force Attack and IP Ban

Hello,

We have done some testing with brute force attack, thousands of requests from a single IP.

Most of complex attacks (XSS, Path Traversal, Injection ...) were blocked but the others were classified and let go through by appsec.

Server behind was suffering with the amount of request.

Is there a way for the appsec to handle that kind of thing ? Saying ok, this IP has a bad overall behaviour, too many bad requests so it is banned for an amount of time.

Best regards

Nicolas

 

0 Kudos
1 Reply
yuvalmamka
Employee
Employee
‎2024-04-09 01:20 AM

Hi,

The WAF engine decides to block or not based on indicators we found and additional data we learn.
In case we see new requests, we didn't learn before, the decision will be made based on the indicators and the information we learned so far.

The IP will have a low user reputation as we will recognize it has a lot of malicious requests.

In this case, I can recommend turning on the Rate Limit capability and to set up a limit to the number of requests from a specific source to a specific timeframe.

0 Kudos
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events