Hi everyone,
As I have promissed that in this post will talk about penetration test to the application that reside behind F5 firewall to make our penetration testing a bit challenging and try to find another strategy on doing the penetration testing cycle.
Here below my environment setup
For initial I do not setup any WAF yet so it is plain like simple router. Also, I set allow any for both side to communicate freely
Here is the snapshot of my initial F5 configuration
Below is my network firewall rule which allow any to any
This is my virtual server configuration
Here is below my virtual server security setting
The initial setup of the above configuration is just to allow both side (External and Internal) to be able to communicate that allowing my kali linux to establish traffic to web application server.
At this time we will not see any different as our previous setup such let start a bit test
Web content discovery using gobuster
root@dragon:~# gobuster -u http://192.168.201.129 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 2 -q
output :
/index (Status: 200)
/upload (Status: 301)
/wordpress (Status: 301)
/robots (Status: 200)
/INSTALL (Status: 200)
/LICENSE (Status: 200)
/COPYING (Status: 200)
/CHANGELOG (Status: 200)
/server-status (Status: 403)
root@dragon:~#
let check with burpsuite, We can see that burpsuite has a better content discovery becuase it combine the force content discovery and its capability of crawling the web. So it has a better awareness.
So let configure the protection by enabling the F5 Application Security Manager DoS Protection. Why do we need to enable this ? The anti DoS function at F5 has the capability to detect the transaction per second generated from single IP so that it is become easier detecting the traffic fluctuation. During the content discovery the application will generate a very large amount of traffic to the server per second that will create traffic spike that make the network security device in between triggered to take action in this case is F5.
Lets configure the F5
- Create the DoS profile ( I have created the sample QuRArDOS)
2. Here is my simple configuration, This configuration is intended to detect the transaction per second (TPS). It will directly block all the request from the host/ip that detected as DOS generator. The criteria will check the traffic fluctuation when there is gap 5 times bigger (500%) then normal and detecting at least 40 TPS or it will check the transaction up to 200 TPS. When the criteria is meet then F5 will do the block all connection from the source IP. F5 will do the the analyses or escalation period up to 5 seconds whenever the escalation period is surpased then the source will be blocked 300 seconds (5 minutes)
3. Lets apply the DOS profile to the virtual server that we want to protect
- Go to and select the virtual server
- Go to security tab
- Select enable the DoS Protection Profile
- Choose the profile that we just created (QuRarDOS)
- Click update
After the profile is applied then we can try to do the content discovery again and lets see the differences
lets do gobuster
Gobuster is suddenly stop and after we retry the content discovery, the connection to the server is block by F5 due to high TPS is meet in the condition.
we can find the report says that there were few DoS is recorded in the F5 reporting section.
in the above report we can also see the figure of the attack happened, we can see that f5 can track the attack duration and how it mitigate the attack.
lets reduce the speed of the burp to do the discovery
By changing this value it will impact to the TPS, We can adjust it to the most effective value which can bypass the TPS detection in F5. To monitor the failed traffic, you can see burpsuite application log like below
if you find alot of abandoning discovery due to many errors it could be your connection to the server is block by F5, in this case you can adjust down the value that I circled.
We can see that by the implementation of F5, our scanning phase is not as easy as before again that we need to adjust some of our parameter to compromise the protection. Lets take some more exercise ..
Have a nice try
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 