Blocking brute force (dictionary) attacks with Web Application Firewall.

This article only applies to brute force dictionary attacks to non existing accounts (not already in SRA database) to non application offloaded portals. The sole intention of this sort of attack is to determine valid user account names and passwords.

Note: To block brute force attacks to existing user accounts please configure "Enable Administrator/user lockout" under System -> administration.

At present there is no way to block brute force attacks to the SRA portals, the attacks can only be blocked to Application Offloaded portals. That will change starting with firmware 8.1.0.2-12sv (hotfix 167949).

That firmware version will incorporate an option within the Web Application Firewall called "Disable SRA exclusions" which will eliminate that limitation.

 

Below is a picture of a sample configuration that blocks a dictionary brute force attack to a virtual office portal. 

 

 

 

As per the example above any brute force attack with a purpose to find out valid user account names will be blocked after 10 tries and will be locked out for 60 seconds, these fields can be altered as per requirements.