Automating Security Operations — Detecting and Permanently Blocking Abusive Clients.
Automating Security Operations is a tough task but can make life of a Security guy very easy. At NestAway, our security team tries to automate each and every possible task. This article will address how we at NestAway automated blocking of abusive clients using AWS-WAF and Sqreen.
What’s AWS-WAF & Sqreen ? 🤔
AWS-WAF:-
AWS WAF is a web application firewall (which can be integrated with Application Load Balancers, Cloudfront Distributions and API Gateways) that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS-WAF consists of Conditions, Rules and ACL’s. A rule is generated using one or more conditions. Finally rule is applied on ACL to block, allow or count the traffic that matches the rule.
For e.g:-
Condition-1 :- If request.method is “Options”
Condition-2 :- If request.headers[“Origin”] is blank
Rule-1 :- Condition-1 AND Condition-1. i.e If request.method is “Options” AND request.headers[“Origin”] is blank.
ACL :- If any request matches RULE-1, Block the request (Action=Block & Response=403)
Now, 2 Important things to note here:-
- AWS-WAF stores allowed, blocked and counted requests for 3 hours that means any request blocked by AWS-WAF at 10 AM will be available 1 PM in WAF Dashboard.
- AWS-WAF only works with “request.ip”. WAF can not block X-Forwarded-For IP though it can detect X-Forwarded-For IP. For e.g if you’re using a proxy to serve your traffic, WAF will record edge server IP and for such requests you should fetch request.headers[‘X-Forwarded-For’]
Sqreen:-
Sqreen is an application security management solution which sits inside your application to monitor traffic. Sqreen automatically blocks attacks and even lets you define your own custom events. At NestAway, the security team majorly depends on Sqreen to automate things.
— Sqreen RASP protection:-
Runtime Application Self Protection uses the app’s runtime context to protect against most critical vulnerabilities such as XSS, SQL injection etc. These types of attacks are automatically blocked by Sqreen.
— Sqreen In-app Events:-
Sqreen has many in-app security events which monitors incoming traffic.
For e.g:-
When a request is made to a non existing path and it matches a known malicious path (http://www.domain.com/admin/root.php), Sqreen triggers a warning.
— Sqreen Custom Events:-
Let’s suppose that you want to track CSRF activities in your app, you can use Sqreen.track to track the activity.
if csrf_request?
Sqreen.track(‘csrf_request’);
endSqreen.track(‘csrf_request’) will push request details to Sqreen where you can analyze the request. Using these custom events, you can create Sqreen Playbooks.
— Sqreen Playbook :- If Sqreen.track(‘csrf_request’) is triggered 10 times by an IP in 10 minutes then take action. (Possible Playbook Action :- No Actions, just notify || Block the IP for custom time period || Block the IP permanently || POST to your custom webhook.)
Here’s our detailed use-case :- https://www.sqreen.com/customers/nestaway
How we used AWS-WAF and Sqreen for Automation ?
Since now you have idea about AWS-WAF and Sqreen, let’s see how we used both of these to automate security operations.
— Abuse Score Detection and Webhook.
We built a custom app and exposed one endpoint which takes IP as input and gives back the abuse-score of an IP in response. For this we used AbuseIpDb open-sourced API.
— Monitoring AWS-WAF traffic and Blocking abusive clients permanently.
Since AWS-WAF only stores blocked client details only for 3 hours, we built a cron which runs every 2 hours to fetch all clients blocked by AWS-WAF Rules.
Here’s how this cron works:-
- Using AWS-WAF sdk, we fetch clients blocked by WAF Rules in every 2 hours.
- Once we get the IP, we pass these IP’s to Abuse-Detection System to get list of abusive IP’s. (Abuse-Score > 0)
- If the abusive IP is X-Forwarded-IP — we push these IP’s to Sqreen (As AWS-WAF can not work with X-Forwarded-IP). Any subsequent request from these IP’s will reach our app but will result in a 403 Forbidden.
- If the IP is not a X-Forwarded-IP — we push these IP’s to AWS-WAF IP block rule using AWS-WAF sdk. Any subsequent request from these IP’s will result in a 403 Forbidden and will not even reach our app.
— Blocking abusive clients captured by Sqreen.
As mentioned earlier, Sqreen has built-in events and custom events. Built-in events are deployed automatically as soon as Sqreen is integrated with your app whereas custom events are deployed manually. Both built-in and custom-events monitors the traffic.
Here’s how this works:-
- When triggered, Both Sqreen built-in and custom events hits our webhook endpoint.
- The webhook receives the request details and runs AbuseIpDb Scan to check IP abuse score.
- If the IP is abusive — Push the IP to Sqreen. Any subsequent request from this IP would result in a 403 Forbidden.
That’s all Folks. Hope you find this article useful 🙂
