0

I have created a micro-service app relying on simple functions as a service. Since this app is API based, I distribute tokens in exchange for some personal login info (Oauth or login/password).

Just to be clear, developers will then access my app using something like: https://example.com/api/get_ressource?token=personal-token-should-go-here

However, my server and application logic still gets hit even if the token is not provided, meaning anonymous attackers could flood my services without login, taking my service down.

I came across WAF recently and they promise to act as a middle-man, filtering abusive attacks. My understanding is that a WAF is just reverse-proxying my API and applies some known attacks patterns filters before delegating a request to my actual backend.

What I don't really get is: what if an attacker has direct access to my backend's IP?! Wouldn't he be able to bypass the WAF and DDoS my backend directly? Does WAF protection only relies on my original IP not being leaked?

Finally, I have read that WAF only makes sense if it is able to mitigate DDoS through a CDN in order to spread Layer 7 DDoS attacks across multiple servers and bandwidth if needed. Is it any true ? or can I just implement WAF myself ?

Jona Rodrigues
  • 992
  • 1
  • 11
  • 23
  • If you are talking about WAF from AWS, it will be "attached" to your ELB, so your backend will not be exposed directly, which means no one will be able to bypass WAF. Now if you are talking about a third party WAF, than you need to make sure your backend can be available only to this third party WAF, like using security group. In my personal opinion everything that is public on internet should be protect by WAF. Use a commercial WAF solution, like the one from Cloudflare, is much better than handle it by yourself, they are professional on it, but it is not free. – Azize Aug 03 '19 at 00:54
  • I am not into free as I think DDoS might cost me more if not handled properly. That being said, it is rather my understanding of WAF that is in cause. Say I use Cloudflare like you suggested, would it protect my origin servers 100% EVEN with my origin IP leaked ? Essentially, even if I setup a security group to whitelist Cloudflare's IP only, my understanding is that my origin server would still be a target of DDoS attacks forcing it to answer with an "authorized" response. Correct? – Jona Rodrigues Aug 03 '19 at 02:30
  • If you whitelist only your WAF with security group, your instance with not receive any single request or package from any attacker, your backed will never know you are under attack. In this case AWS is the one who will suffer, not you. Research about Argo tunnel, in this case you will not have even a listen port on your host. – Azize Aug 03 '19 at 03:35
  • Just to clarify, WAF protects you much more than just DDoS. – Azize Aug 03 '19 at 03:41
  • Thanks for your lights @Azize. You say `If you whitelist [...] your instance will not receive any single request`. This is the part I don't get. If someone even pings my whitelisted server, who is responsible to handle the request and reject it ? I guess this is my server anyways. This is my concern: I don't get how whitelist can prevent an attacker to send requests. Isn't there any overhead to handle non-authorized IP rejection ? – Jona Rodrigues Aug 03 '19 at 18:49
  • If we are talking about AWS security group, no it is not your server, it is AWS infrastructure that handles security group. It is the same when companies use corporate firewalls, who blocks request is the firewall itself, not the host behind it. In your example the host will only receive ping request if the security group allow it to pass, otherwise the request will be blocked and your host will not know about the request at all. – Azize Aug 03 '19 at 22:52
  • Sorry, maybe I am not clear enough. Say public IP of the firewall is `1.2.3.4` and my server's public IP is `5.6.7.8`. I understand perfectly that if someone issues `ping example.com`, the firewall will prevent `5.6.7.8` from being hit. However, if someone issues `ping 5.6.7.8`, my assumption is that `5.6.7.8` needs to respond with something (even just something like "not authorized"), right ? Again, thank you for your patience on this :) – Jona Rodrigues Aug 04 '19 at 16:57
  • That is the point, your instance will not have a public IP, only your ELB with WAF will have it. If you have your instance behind ELB why you need public IP on it? – Azize Aug 05 '19 at 12:24
  • Got it. It makes sense for AWS since both servers sit in the same network, so the WAF can reach the origin server without it being public. My misunderstanding comes from the fact that some 3rd party WAF you mentioned (like Cloudflare) sit in another network and will require my origin server to open a public port for the WAF to forward requests. But to me that concludes 3rd party WAF are not useful since an attacker can bypass the WAF to flood the publicly opened port if leaked. Thank you for your explanations @Azize feel free to create an answer I can check as correct :) – Jona Rodrigues Aug 05 '19 at 16:19
  • Even with 3rd party solution you can have this kind of protection. Let me quote Cloudflare Argo Tunnel: `"Protect Your Web Servers from Direct Attack"`. Don't worry about the answer, it is OK. – Azize Aug 05 '19 at 16:47
  • https://www.cloudflare.com/products/argo-tunnel/ – Azize Aug 05 '19 at 16:48
  • Ok that is definitely the answer to all my doubts. THANK YOU !! – Jona Rodrigues Aug 05 '19 at 22:33

1 Answers1

0

Go with cloud, you can deploy your app to AWS, there are 2 plus points of this. 1. Your prod server will be behind private IP not public IP. 2. AWS WAF is budgeted service, and good for block dos,scanner, and flood attacks.

You can also use captcha on failed attempts to block IP.

Jay seen
  • 493
  • 4
  • 14