Google Cloud Armor — Part 3
Here, the Google Cloud Armor has been written in three parts.
This blog covers the Part 3, which includes,
- Adaptive Protection
- Preconfigured WAF rule
- Rate Limiting
Adaptive Protection
It protects web application and services against Layer 7 distributed denial-of-service (DDoS) attacks. It works based on Machine Learning (ML) model.
It does the following:
- Detects and alerts on potential attack.
- Generate the signature to match the potential attack (only in Managed Protection plus tier)
- Generate the custom rule to block the potential attack (only in Managed Protection plus tier)
It can be enabled or disabled on per Security Policy basis.
In Security Command Center, the potential attack alerts of Adaptive Protection are generated as findings.
Preconfigured WAF rule
Preconfigured WAF rules are the rules with dozens of signatures. Each signature corresponds to an attack detection rule (i.e., regex pattern) in the ModSecurity Core Rule Set (CRS).
Each signature in Cloud Armor has a sensitivity level that corresponds to the ModSecurity paranoia level, allowing users to choose a sensitivity ranging from 0 to 4.
- 0 → no rules are enabled by default.
- 1 → It is a baseline security level that minimizes the requirement to adjust false positives.
- 2 → It is suitable for ensuring the security of customer data in real-world scenarios. Anticipate the occurrence of false positives and acquire the knowledge to effectively address and mitigate them.
- 3 → It is suitable for ensuring security comparable to online banking, but with a higher occurrence of false positives.
- 4 → It is suitable for ensuring extremely high strength that provide sufficient protection for highly valuable assets. Use with caution and expect a significant number of false positive detections.
Tune the rule to reduce the false positive occurrences. The below are the possible ways to tune the rule.
- Choose a sensitivity level i.e., paranoia level as mentioned above according to the need.
- opt out rule signature if it is blocking traffic that needs to be allowed.
- Exclude request fields from inspection — request fields such as request headers, request cookies, request query parameters, request URI, Apply JSON parsing on custom Content-Type header values.
Rate Limiting
It is a service to enforce limits on incoming traffic based on defined criteria, such as the number of requests per second or minute, to protect applications from excessive or malicious traffic.
It helps prevent denial-of-service attacks, brute-force attacks, and other forms of abuse that can overwhelm application’s resources.
The below are the two types of rate limiting available in Cloud Armor.
- Throttle → Around 20% of the client’s traffic is limited until the allowed number of requests reaches or falls below the threshold.
- Rate-based ban → Clients who surpass the limit are subject to a temporary ban by implementing the specified “exceed_action” for all their requests, which remains in effect for a predetermined duration.
The parameters involved in rate limiting rule are mentioned below.
- rate_limit_threshold → minimum 1 request and maximum 10,000 requests allowed per client for an “interval_sec”.
interval_sec = [10, 30, 60, 120, 180, 240, 300, 600, 900, 1200, 1800, 2700, 3600] - exceed_action → Once a request surpasses the “rate_limit_threshold”, Google Cloud Armor implements the specified “exceed_action.”
exceed_action = [deny(status), redirect]
deny(status) → The requests are denied with one of the status codes = [403(Forbidden), 404(Page not found), 429(Too many requests), 502(Bad gateway)]
redirect → Based on the “exceed_redirect_options”, the request can be redirected to either reCAPTCHA Enterprise for assessment or to a different URL. - exceed_redirect_options → This parameter is used to specify the redirect action when the “exceed_action” is redirect.
type = [GOOGLE_RECAPTCHA, EXTERNAL_302]
target = Target URL when the type is EXTERNAL_302 - Conform_action → This action is executed when the request count falls below the “rate_limit_threshold”. It is always an “Allow” action.
- ban_duration_sec → After the “interval_sec” duration has passed, this represents the extra number of seconds during which a client remains banned.
ban_duration_sec = [60, 120, 180, 240, 300, 600, 900, 1200, 1800, 2700, 3600]
Conclusion:
Much more interesting features such as Threat intelligence, named IP address lists, Bot management are available in Google Cloud Armor. Serving as an icon, it shields the application and services against cyber- attacks.
