As the internet continues to grow, so do the number of bad actors, such as hackers and evildoers, who are determined to exploit websites for their gain. This can be a significant problem, not only for the website owners but also for the end-users who rely on these sites. In response, we developed a project to stop these bad actors from hammering our websites.
Our solution involves three main components. In a recent project to safeguard their website, we integrated Fastly’s Signal Sciences into our infrastructure. This allows us to monitor all requests on our sites, ensuring they are legitimate and not part of a malicious attack. The requests go through the VCL, Signal Sciences, and our origin/websites.
To stop bad actors, we set up many security rules in SigSci. These rules added a latency wait on our sites, which helped identify patterns and allowed us to fine-tune our response. After analyzing the data, we realized we could move all the backdoor attempt rules onto the VCL. This approach allowed us to stop and scrub these attacks before reaching the SigSci WAF.
To streamline our efforts, we aggregated almost all the rules into one CORP rule. This rule is used for all the sites added to SigSci, which helps with observability and monitoring. We also set up independent signals for each site to improve visibility.
Our project has been incredibly successful, and we are currently scrubbing off and stopping anywhere from 1.5 – 2 million bad requests every two weeks, depending on the RPS and total traffic.
It’s been a challenging but rewarding project. We knew we had to take action to protect our sites from bad actors, and integrating SigSci into our infrastructure has made a significant difference. By moving the backdoor attempt rules onto the VCL, we’ve been able to respond even faster, stopping these attacks before they even reach our WAF.
As we continued to fine-tune our response to bad actors, we took our efforts one step further. Any block that occurs on the SigSci WAF now returns a 406 to the VCL. This approach allows us to take immediate action against malicious requests and prevent subsequent attacks. When the VCL sees the 406, it puts the IP in a penalty box for five minutes. This means that any subsequent attacks from that IP are automatically blocked. While this approach has been effective, we have encountered issues blocking NAT IP addresses. As a result, we have limited the penalty box to only five minutes. This means that any malicious activity from the same IP address after the five-minute block has ended will once again be blocked by our systems.
Our ongoing efforts to protect our sites from bad actors testify to the importance of vigilance and innovation in today’s digital landscape. With the open-sourced VCL code, anyone can implement similar measures to protect their sites from malicious attacks.