F5 BigIP Brute Force and Session Abuse

Multiple Users with Authentications from Singular, non-Whitelisted IP

Basically I needed a way to determine if a series of users are connecting from a singular IP. This is particular useful during COVID-19 WFH constraints.
The search is intended to look at the VPN index for a new session initiation, excluding all RFC1918 traffic as a source.

The search then left-joins any failure attempts for the same sessions; the thought process behind this being that if you have more than one user on more than one session from a single IP, that they very well may be either co-located or, are potentially working from a location they aren’t supposed to (Starbucks, Shared Wifi, etc.)

Potential Session Hijack

This search is very similar to the one above, with the exception that it is looking at a slightly different metric. Assume the one above primarily looks for multiple users and sessions from one IP. This particular one detects when one or more user, as an individual, has had more than one successful sessions opened within any 5m time frame.

 

Share This:

Leave A Comment?