Forum Discussion

Altocumulus

Jul 23, 2024

Password spray attacks through BIGIP

Hello community, Need some help here. Our MSSP observed and notified us of successful password spray behavior from one of the self-IPs on our BIG IP resulting in the lockout of a significant n...

security

Lucas_Thompson

Employee

Jul 23, 2024

Some good initial actions probably are:

Determine the protocol used for the auth attempts sourced from your IP. Was it HTTP? Kerberos? RADIUS?
The most likely source for the traffic is someone accessing the internet through your BIG-IP. Does your config offer NATting for outbound arbitrary connections? If so, what is your acceptable use policies and auditing/logging policies for this service?
If your config does NOT offer NATing over the network, it is possible that you have an unauthorized user. The self-ips can be used to source connections from the control plane, depending on how the BIG-IP's routing is set up. Review this solution article:
https://my.f5.com/manage/s/article/K11438344

Forum Discussion

Password spray attacks through BIGIP

Recent Discussions

Microsoft 365 IP Steering python script

F5 Application common issues

Is network access bypassing APM logon pages?

<apm_do_not_touch> in JS file failing</apm_do_not_touch>

Suddenly Can't access Login Box to F5 LTM Via SSH & GUI

Related Content

The HTTP/2 CONTINUATION frame attack

iRule for Brute Force Password Guessing Attacks

Password Safety & Security: Passwords vs. Passphrases

Automate scp transfers using password

ESRP Strategies: DNS Water Torture Attack