Brute Force protection for single parameter like OTP

Brute Force Protection for single parameter

This can be achieved with the help of ASM Data Guard & Session tracking

1. Log all request & response to record valid OTP request & invalid OTP request/response. This is just to record request & response. After recording request & response, you should remove Log All request profile from virtual server.  
2. From invalid OTP response, identify unique response
For eg - FAILED or Mobile number not registered
3. Configure this unique response in Data Guard Custom pattern so that firewall will track session based on that

4. Configure URL which sends OTP parameter at Data Guard Protection Enforcement Enforced URLs

5. Now go to session tracking, Enable Session Awareness, Track Violations and Perform Actions, mention violation detection period 60 seconds. you can change this time as per recommendation by your security team
6. In session tracking, go to Delay Blocking , enable Session threshold to 3 violation. It means 3 violations in 60 seconds will be ignored or 3 violations in 60 seconds will not be blocked
7. Enable IP Address threshold to 20 , it means if any IP will be blocked after 20 violations
8. In Associated Violations, Select Data Guard:Information leakage detected



Published Jul 19, 2022
Version 1.0

Was this article helpful?


  • Nice work. Don't forget to check Learning and Blocking settings for Data Guard.

  • An awsome article that has so many use cases ! One of them for me is the PIN guessing bank attack as in this the PIN is usually in a single parameter.

    The attacker tries to create a co-browsing connection with the agent. To do this, the attacker hopes to guess the PIN that the collaboration server uses to verify the connection between the visitor and the agent. By default, this is a six-digit number. If the attacker types the PIN before the visitor does, the collaboration server will create the co-browsing connection between the attacker and the agent.

    There are a number of ways the attacker might learn the PIN:

    • By guessing, that is, by repeatedly connecting to the collaboration server using different PINs, until a number used by the attacker matches one used by the collaboration server.

    • By intercepting the PIN when it’s transmitted via telephone. This can be done in various ways, for example by hacking a phone or by listening in on the conversation.

    • By intercepting the PIN when it’s transmitted over the network after the visitor has entered it.