The most powerful, extensible, customizable, TRUE DDoS, and TRUE Distributed Brute Force Prevention tool since 2012 (compare it, I dare you :D ) and now it handles all ports and protocols, not just HTTP/S!
BAIU is a (royalty free) patent pending, world first rate limiter that has saved Choice Hotels half a million dollars in digital theft in one year already, reducing the losses from over $8,000 weekly to $0 i.e. 100% resolution and with proper configuration thus far has been able to boast 99.9999% accuracy while handling over 60,000 unique events daily.
Here are some FAQs and some general help for working with Project BAIU
What does Project BAIU do?
BAIU will actively monitor, and/or restrict the ability of network based entities, both human and automated software, accessing certain aspects of a hosted site that is viewable on the internet over periods of hours, to days, to weeks, to months with multiple, user-defined, variable control methods for restriction, event triggers, multiple methods of counting IP and/or UserID access, and multiple variable, user-defined timing controls that set independent timing constraints for monitoring and restricting IP/UserID access. It is capable of monitoring and restricting via a static and dynamically distributed model when monitoring and restricting IPs and/or userID/strings.
Monitoring and restricting over customizable periods of time (hours, days, weeks, months) significantly reduces the daily chances of attacks. Rather than the “here and now” approach commonly used, BAIU registers, catalogs, analyzes, trends, and consider behavioral characteristics to determine the appropriate reaction. This is the core of the static monitoring and restriction functionality.
At this time BAIU only works for the F5 networking appliances as long as the F5 can process iRules which is every appliance they made regardless of licensing. A10 has developed a load balancer/WAF combo that support iRules through conversion and this code is all TCL based so theoretically it can be ported to virtually any system that supports TCL and a database.
Well you need to import the iRules and then you need to create the Data Groups that are listed in the comments for each iRule. Once you're done with this you can attach them to your VIPs.
You'll want to ready through the comments and I was very verbose about most of them. This will give you an idea as to the structure and how things work. To start with, things will be in a monitoring only state so no blocking can occur. You'll need to uncomment the #@# lines to enable blocking.
So you have them attached. Now you need to populate the Data Groups. The XXX_LOGIN_URI is the brute force URI for logins. The more advanced features take place here.
R8L_WWW (starts_with URI focus so ALL URIs under / if you put that in there) is for general rate limiting however I suggest not using /. Instead use my tool for something more useful :)
R8L_URI (equals condition for a URI so only focuses on specific URIs) should be used for URIs that need dedicated focus.
XXX_LAN defines your local network where BAIU should allow CnC control.
R8L_GOOD_UID is for good user IDs that you do not wish to track such as Gomez.
R8L_GOOD_IP are for IPs that you don't wish to track such as your pen testers.
blacklist_IPs is where you put in CIDR/IPs to permanently block. The same goes for the other blacklist data groups and they are relative to their function. Add more if you'd like :)
R8L_BAD_IP and R8L_BAD_UID are similar in function. They're an override that'll always ensure rate limiting occurs for them. Not so useful, but it's a function.
R8L_PORT is the new feature for BAIU 4 Ports that focuses on all IP protocols including but not intended for 80/443. This means ICMP,SSH, SFTP, LDAP, EIGRP, BGP, DNS, and really any protocol the F5 can comprehend. Score!
AWESOME!!! So I created all the Data Groups but this thing just keeps counting.... How do I tune the counts to something useful?
Excellent ? Edit the below values in XXX_040_Tru_R8L_BAIU_v2.1. These are the total counts during a given window so really just watch the logs you get and determine a threshold from there. Let BAIU do that work for you ;)
set IPMaxReqs 4000000
# Total UID Requests allowed
set UIDMaxReqs 3000000
# Total URI Requests allowed
set URIMaxReqs 100000
# Total Site Requests allowed
set WWWMaxReqs 100000
Alright well I got some thresholds figured out but what if I want to change the timing period?
Have a blast! Below are your timing values you'll want to redefine if my defaults aren't good enough for you. They're all in seconds and you can look up the XXX_040_Tru_R8L_BAIUv2.1 references for these values to determine what you'd like to change.