Web attacks like SQL injection and Cross-Site Scripting can be devastating, resulting in massive data breaches, customer turnover, notification costs, lawsuits, and fines.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from, or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked.
The first illustration shows an infrastructure trying to respond to all requests, an approach that exhausts the web server’s resources. The second illustration shows a resilient infrastructure that uses AWS WAF, which blocks requests originating from blacklisted sources.
AWS WAF is a relatively new service only recently brought out of Beta. This service is tightly coupled to the CloudFront CDN service. The WAF service reviews traffic that is passing through the CDN and, based off defined rules, tells the CDN to either block or allow the traffic. To use this service, all site traffic must pass through a CloudFront CDN.
AWS WAF helps in preventing from a lot of attacks, but DDoS is the most common form of attack and also the most difficult to curb, let us start with what exactly is a DDoS attack.
A Denial of Service (DoS) attack is an attack that can make your website or application unavailable to end users. To achieve this, attackers use a variety of techniques that consume network or other resources, disrupting access for legitimate end users. In its simplest form, a DoS attack against a target is executed by a lone attacker from a single source, as shown below:
Diagram of a DOS attack
Image sourced from here.
In the case of a Distributed Denial of Service (DDoS) attack, an attacker uses multiple sources—which may be compromised or controlled by a group of collaborators—to orchestrate an attack against a target. As illustrated below, in a DDoS attack, each of the collaborators or compromised hosts participates in the attack, generating a flood of packets or requests to overwhelm the intended target.
Diagram of a DDOS attack
Image sourced from here.
DDoS attacks are most common at layers 3, 4, 6, and 7 of the Open Systems Interconnection (OSI) model, which is described in the above table. Layer 3 and 4 attacks correspond to the Network and Transport layers of the OSI model. This distinction is important because the attack types directed at these layers are different and so different techniques are used to build resiliency.
WAF can be implemented as a CloudFormation stack as illustrated in the image below:
Image sourced from here.
The CloudFormation stack works as follows:
- All web requests are passed through a CloudFront CDN network. All request data is persisted to log files that reside on S3 buckets.
- For every new request log file that is persisted, a Lambda function is triggered to analyse the log file data. The Lambda function reviews the traffic patterns and then updates the WAF block list based off defined rules.
- The WAF device blocks entry to the Elastic Load Balancer based off the source IP address.
Web Traffic Filtering
Traffic filtering is accomplished by creating specific web request conditions, which are then grouped into rules. These rules are then associated with a CloudFront distribution through a web access control list.
Conditions define the basic characteristics that you want AWS WAF to watch for in web requests:
- Scripts that are likely to be malicious. Attackers embed scripts that can exploit vulnerabilities in web applications; this is known as cross-site scripting.
- The IP addresses or address ranges that requests originate from.
- The length of specified parts of the request (Header, HTTP method, URI, body or query string).
- SQL code that is likely to be malicious. Attackers try to extract data from your database by embedding malicious SQL code in a web request; this is known as SQL injection.
- Strings that appear in the request(Header, HTTP method, URI, body or query string), for example, values that appear in the User-Agent header or text strings that appear in the query string.
Some conditions take multiple values. For example, you can specify up to 1000 IP addresses or IP address ranges in an IP condition.
You combine conditions into rules to precisely target the requests that you want to allow or block.
When a rule includes multiple conditions, AWS WAF looks for requests that match all those conditions — it ANDs the conditions together.
Web Access Control Lists (ACLs)
Finally, you combine rules into a Web ACL. This is where you define an action for each rule—allow, block, or count—and a default action. A Web ACL is also associated to a CloudFront resource. This allows you to have a set of rules and actions for multiple web sites.
When a web request matches all of the conditions in a rule, AWS WAF can either allow the request to be forwarded to CloudFront or block the request. For testing purposes, you can instruct WAF to count the requests and evaluate their behaviour later. You specify the action that you want AWS WAF to perform for each rule.
At the simplest level, AWS WAF lets you choose one of the following behaviours:
- Allow all requests except the ones that you specify – This is useful when you want CloudFront to serve content for a public website but you also want to block requests from attackers.
- Block all requests except the ones that you specify – This is useful when you want CloudFront to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses they use to browse to the website.
- Count the requests that match the properties that you specify – When you want to allow or block requests based on new properties in web requests, you can first configure AWS WAF to count the requests that match those properties without allowing or blocking those requests. This lets you confirm that you didn’t accidentally configure AWS WAF to block all of the traffic to your website. When you’re confident that you specified the correct properties, you can change the behaviour to allow or block requests.
Full Feature API
Combining the core WAF Web Traffic Filtering features with some of the AWS services you can make the rules dynamic. For example, it is possible to temporarily block IP Addresses based off request volume – shutting down bots or screen scraping processes.
There are several CloudFormation templates that can jump-start setting up some of these dynamic rules.