Project BAIU

The most powerful, extensible, customizable, TRUE DDoS, and TRUE Distributed Brute Force Prevention tool since 2012 (compare it, I dare you :D ) and now it handles all ports and protocols, not just HTTP/S!

Get It!

DOWNLOADS

Download Project BAIU and get it running on your F5s today!

BAIU will actively monitor, and/or restrict the ability of network based entities, both human and automated software, accessing certain aspects of a hosted site that is viewable on the internet over periods of hours, to days, to weeks, to months with multiple, user-defined, variable control methods for restriction, event triggers, multiple methods of counting IP and/or UserID access, and multiple variable, user-defined timing controls that set independent timing constraints for monitoring and restricting IP/UserID access. It is capable of monitoring and restricting via a static and dynamically distributed model when monitoring and restricting IPs and/or userID/strings. Monitoring and restricting over customizable periods of time (hours, days, weeks, months) significantly reduces the daily chances of attacks. Rather than the "here and now" approach commonly used, BAIU registers, catalogs, analyzes, trends, and considers behavioral characteristics to determine the appropriate reaction. This is the core of the static monitoring and restriction functionality. At this time BAIU only works for the F5 networking appliances as long as the F5 can process iRules which is every appliance they made regardless of licensing. A10 has developed a load balancer/WAF combo that support iRules through conversion and this code is all TCL based so theoretically it can be ported to virtually any system that supports TCL and a database.

Project BAIU F5 iRules updated: 2023-03-26

F5 iRules (core of BAIU):

We've since uploaded Project BAIU and the WHOIS DB on GitHub however we'll continue to keep it up to date here as well :)

GitHub Repository for WAF Logic & Project BAIU @ https://github.com/WAFLogic

I've done quite a bit of updates to BAIU including additional logic to take out attackers faster if they continuously fail, exhonerate good users who only Successfully Authenticate resulting in them being removed from the tracking tables as they continue to be good users. The standard rate limits apply for a mix of Success/Failures and even if a source has had consistent Successful Authentication for years, if they begin "Breaking Bad", then BAIU will treat them as such.

I've further enhanced BAIU's TCP/UDP based with extra focus on DNS rate limiting / (D)DoS Detection/Prevention. It now tracks DNS records and choice records that are known to be malicious can be added to instantly block. Once blocked for any single category of (D)DoS) Mitigation DNS, TCP, UDP, HTTP/S, Auth, etc. the Attacker is then Blocked on ALL service categories protected by BAIU.

With the TCP/UDP (D)DoS enhancements, throttling and/or mitigation can be applied to trusted traffic such as SMTP/S, IMAP/S, POP3/S, S/FTP, SSH, etc. so a trusted client may use the services however they can be throttled by user defined thresholds or denied access per schedules, thresholds, etc.

Currently 4 Fortune 100 companies leverage Project BAIU to protect their web sites, specifically their Authentication sites and to date have had ZERO ATO (Account Take Over) events since we introduced Project BAIU; Over 20 years combined success!

I currently use Project BAIU to protect my HTTP/S, SMTP/S, IMAPS, SSH, & SFTP with excellent results :)

BAIU is fairly well documented throughout the code with each function having explanations about how they work. I did have VERY thorough documentation once but the documentation we wrote was under an NDA so while my code is NDA free, the documentation we wrote was not :D I am more than willing to assist you if you'd like to set this up though. Just let me know!

The WAF Guy

thewafguy@waflogic.com

Below are the 3 key flavors of Project BAIU. They are as follows:

The HTTP/S (D)DoS Mitigation version focused on Authentication and General Web Security

XXX_010_TIP_BAIU_v2.1

XXX_020_Blacklist_IP_UserAgent_Referer_BAIU

XXX_030_UIDExtractAllSites_AddHeader_BAIUv2.2

XXX_040_Tru_R8L_BAIUv2.1

XXX_050_CnC_BAIU_v2

The TCP (D)DoS Mitigation version that protects TCP based services such as SMTP/S, IMAP/S POP3/S S/FTP, SSH, etc.

XXX_010_TIP_BAIU_DNS_4Ports

XXX_020_Blacklist_DNS_BAIU_4Ports

XXX_030_Extract_DNS_BAIU_4Ports

XXX_040_Tru_R8L_DNS_BAIU_4Ports

XXX_050_CnC_BAIU_v2

The DNS/UDP (D)DoS Mitigation version that protects DNS/UDP based services. It covers UDP in general and the Enhanced Features are for DNS

XXX_010_TIP_BAIU_TCP_4Ports

XXX_020_Blacklist_TCP_BAIU_4Ports

XXX_030_Extract_TCP_BAIU_4Ports

XXX_040_Tru_R8L_TCP_BAIU_4Ports

XXX_050_CnC_BAIU_v2

Shell Scripts for Syncing Tracking and Blocking Stats across multiple F5s:

Fortunately these scripts haven't required any updates since I originally wrote them. The goal was a universal script that will work on any version of F5 and thus far 11 years later, they still work as designed.

Ban List Sync for 1st WAF

Ban List Sync for 2nd WAF

ReqCnt 10min Sync for 1st WAF

ReqCnt 10min Sync for 2nd WAF

ReqCnt_Hourly Sync for 1st WAF

ReqCnt_Hourly Sync for 2nd WAF

Rolling Ban Sync for 1st WAF

Rolling Ban Sync for 2nd WAF

Week Counts Sync for 1st WAF

Week Counts Sync for 2nd WAF

#########################################################################################