Here are some FAQs and some general help for working with Project BAIU
What does Project BAIU do?
BAIU will actively monitor, and/or restrict the ability of network based entities, both human and automated software, accessing certain aspects of a hosted site that is viewable on the internet over periods of hours, to days, to weeks, to months with multiple, user-defined, variable control methods for restriction, event triggers, multiple methods of counting IP and/or UserID access, and multiple variable, user-defined timing controls that set independent timing constraints for monitoring and restricting IP/UserID access. It is capable of monitoring and restricting via a static and dynamically distributed model when monitoring and restricting IPs and/or userID/strings.
Monitoring and restricting over customizable periods of time (hours, days, weeks, months) significantly reduces the daily chances of attacks. Rather than the “here and now” approach commonly used, BAIU registers, catalogs, analyzes, trends, and consider behavioral characteristics to determine the appropriate reaction. This is the core of the static monitoring and restriction functionality.
####################################################################
What does Project BAIU work on?
At this time BAIU only works for the F5 networking appliances as long as the F5 can process iRules which is every appliance they made regardless of licensing. A10 has developed a load balancer/WAF combo that support iRules through conversion and this code is all TCL based so theoretically it can be ported to virtually any system that supports TCL and a database.
####################################################################
These sound fantastic, but.... How do I use them?
Well you need to import the iRules and then you need to create the Data Groups that are listed in the comments for each iRule. Once you're done with this you can attach them to your VIPs.
You'll want to ready through the comments and I was very verbose about most of them. This will give you an idea as to the structure and how things work. To start with, things will be in a monitoring only state so no blocking can occur. You'll need to uncomment the #@# lines to enable blocking.
So you have them attached. Now you need to populate the Data Groups. The XXX_LOGIN_URI is the brute force URI for logins. The more advanced features take place here.
R8L_WWW (starts_with URI focus so ALL URIs under / if you put that in there) is for general rate limiting however I suggest not using /. Instead use my tool for something more useful :)
R8L_URI (equals condition for a URI so only focuses on specific URIs) should be used for URIs that need dedicated focus.
XXX_LAN defines your local network where BAIU should allow CnC control.
R8L_GOOD_UID is for good user IDs that you do not wish to track such as Gomez.
R8L_GOOD_IP are for IPs that you don't wish to track such as your pen testers.
blacklist_IPs is where you put in CIDR/IPs to permanently block. The same goes for the other blacklist data groups and they are relative to their function. Add more if you'd like :)
R8L_BAD_IP and R8L_BAD_UID are similar in function. They're an override that'll always ensure rate limiting occurs for them. Not so useful, but it's a function.
R8L_PORT is the new feature for BAIU 4 Ports that focuses on all IP protocols including but not intended for 80/443. This means ICMP,SSH, SFTP, LDAP, EIGRP, BGP, DNS, and really any protocol the F5 can comprehend. Score!
####################################################################
AWESOME!!! So I created all the Data Groups but this thing just keeps counting.... How do I tune the counts to something useful?
Excellent ? Edit the below values in XXX_040_Tru_R8L_BAIU_v2.1. These are the total counts during a given window so really just watch the logs you get and determine a threshold from there. Let BAIU do that work for you ;)
set IPMaxReqs 4000000
# Total UID Requests allowed
set UIDMaxReqs 3000000
# Total URI Requests allowed
set URIMaxReqs 100000
# Total Site Requests allowed
set WWWMaxReqs 100000
####################################################################
Alright well I got some thresholds figured out but what if I want to change the timing period?
Have a blast! Below are your timing values you'll want to redefine if my defaults aren't good enough for you. They're all in seconds and you can look up the XXX_040_Tru_R8L_BAIUv2.1 references for these values to determine what you'd like to change.
# Used for WWW banning
# Requests within X seconds
set WTime 1800
# Ban X seconds
set WWWB 600
# Used for standard banning
# Requests within X seconds
set STime 115200
# Ban X seconds
set StdB 194400
# Used for short banning
# Requests within X seconds
set HTime 108000
# Ban X seconds
set HalfB 57600
# Used for longer duration banning
# Banned events within X seconds
set LTime 691200
# Total banned events
set MaxBs 0
# Ban X seconds
set LongB 453600
####################################################################
What is with the weird logo for BAIU?
This is a vase depicting Hercules/Heracles fighting off the Hydra during his 2nd labor. As you review the code, you'll see there is a lot of Greek/Roman mythology references to the various functions I designed and it certainly was a labor. Through the blood, & sweat I came out victorious though! Fighting off a true DDoS attack is much like fighting off a Hydra. However with BAIU, it's effortless. You get to kick back and watch the show while BAIU gives the beat down for you :)
If you like mythology, this is an excellent article including the history of the vase in my logo.
https://www.theoi.com/Ther/DrakonHydra.html
####################################################################
I just want your codez! I'm SmartZ n KnowZ how to do thingZ. All Your DownloadZ Are Mine!
Email Us if you have any questions!