How to use AWS WAF(Web Application Firewall)? Effective defense against SQL injection, cross-site scripting and hacker malicious brush

In the public network environment, any external Web service, APP interface or e-commerce website will face not only real customers but also dense customers as soon as it opens its doors every day.

Hacker scanners, malicious scrubbing crawlers, and a variety of automated attacks against application layer vulnerabilities

.

Many technical teams do not have enough awareness of prevention, thinking that everything will be fine if the server is installed with antivirus software and the security team turns off unused ports. The result is:

The core database was directly stripped and looted by a simple SQL injection statement, the web page was implanted with malicious scripts (XSS), resulting in the theft of user funds, or the marketing activity interface was hacked with hacker tools, which wiped out hundreds of thousands of budgets in a few minutes.

In the traditional architecture, to deal with this malicious attack at the application layer (the seventh layer in the OSI seven-layer model), it is necessary to change a large number of back-end code or write a bunch of extremely complex interception rules at the Nginx level, which is costly to operate and easily kill normal requests by mistake.

AWS Amazon Payments

On the Amazon cloud, the most elegant and worry-free defensive weapon is

AWS WAF(Web Application Firewall,Web Application Firewall)

. It is like a "devil security inspector" at the forefront of the server. Before the request reaches your back-end server, it blocks all kinds of hidden weapons, poisons and malicious brushes at the edge.

Today's in-depth tutorial does not talk about profound safety slangs. It will take you to completely subside AWS WAF from the most down-to-earth actual combat perspective.

Core Principle: Where is AWS WAF and how does it work?

Before configuring, let's find out where this "security inspector" stands in your structure. AWS WAF

Cannot

Hanging directly on a single EC2 cloud server, it functions by "parasitizing" the following three core traffic entry layers:

Application Load Balancer (ALB): Your application load balancer.

Amazon CloudFront: Your global CDN edge node.

Amazon API Gateway: Your microservice interface gateway.

AWS Amazon Payments

When an American hacker crafted a request containing malicious code to send it:

The traffic first reaches the CloudFront CDN edge node (or ALB).

AWS WAF instantly intervenes. It will use your configured "defense rule set (Web ACL)" to scan the Header (request header), Query String(URL parameter), Body (request body) and IP source of the request like an X-ray machine.

If it matches the hacker characteristics, WAF directly spits out 403 Forbidden at the edge to intercept and attack the flow.

The amount can't even touch the hair of your back-end server, and it won't consume any of your CPU and business bandwidth.

The first stage: three-step landing AWS WAF core defense (actual combat operation)

The core of configuring AWS WAF is to create a

Web ACL(Web Access Control List)

. Let's take "protecting domestic or overseas ALB load balancing" as an example to deploy defense:

Step 1: Create a new web ACL and bind it to a portal

Log in to the AWS Management Console, search for and go to the WAF & Shield console.

In the left-side navigation pane, click Web ACLs, and then click Create Web ACL on the right.

Key parameter configuration: Resource type: if you want to protect CloudFront CDN, select Global (CloudFront); If you are protecting load balancing, select Regional resources and select the region where your server is located (e.g. us-west-2 western Oregon). Name: Give it a refreshing name, such as prod-web-waf-acl.

At the Associated AWS resources below, click Add AWS resources and check the ALB instance where you are running the web service. Click Next.

Step 2: Configure AWS Official Managed Rule Set with One Click (Blocking SQL Injection and XSS)

AWS officials have been very kind to help us write a "top-of-the-line body armor" to deal with regular hacker attacks, called

AWS Managed Rule Groups

. You don't need to understand the profound network security confrontation, just enable it with one click:

On the Add rules and rule groups page, click Add rules -> Add managed rule groups on the right.

Expand the AWS managed rule groups and you'll see a bunch of officially maintained rules that are updated in real time. It is strongly recommended to check the following three "core main forces" with your eyes closed: Core rule set (CRS): Core rule set. This is the soul of WAF, which contains the most common vulnerabilities (including OWASP Top 10), local file inclusion (LFI) and other conventional attacks defense. SQL database (SQLi) rule set: SQL injection specific defense. Specially stare at the database special characters in the request, and die welding the database door at the end of the death. Known bad input rule set: Vulnerability Scanner Defense. Many hackers like to use automated open source tools (such as SQLmap) to blindly test your

Website, this rule can accurately identify the probes of these tools and block them directly.

Click Add rules to save.

Step 3: Turn on the Rate-based Rule-the amount of malicious swipes by hackers.

After blocking the vulnerability attack, we will deal with the most troublesome one next.

Malicious brushing, database collision, crawler and CC attacks

.

In order to fill up your bandwidth or blow up your SMS/verification code interface, hackers will use a large number of broilers or proxy IP to concurrency crazily in a short period of time. AWS WAF

Rate-based Rule

Is the strongest means of subduing them.

In the Rules page, click Add rules -> Add my own rules and rule groups.

Configuration parameter: Rule type: Select Rate-based rule. Rate limit: Sets the maximum access limit for a single IP within 5 minutes. For example, for an ordinary Web site, you can set the 2000. If it is an extremely sensitive registration/login interface, it can be compressed to 100-300. Action: Select Block (direct interception) or Count (only record without interception, usually used for early observation).

In this way, once a crazy request from an overseas IP exceeds the red line you set within 5 minutes, AWS WAF will immediately handcuff the IP, and reward it for all subsequent visits for a 403, usually after 5 to 10 minutes of normal behavior, it will automatically unseal.

The second stage: master advanced-how to reduce the "manslaughter rate" of WAF "?

There is an eternal pain point in the field of security:

The stricter the defense, the easier it is to kill good people by mistake.

For example, if your company's finance employee uploads an Excel form containing financial formulas in the background, WAF's SQL injection rules may mistake it for hacker code and directly intercept the finance elder sister.

On the first day of WAF launch, experienced architects will use the following two techniques to refine operations:

1. Start the "Observation Mode (Count)" fire test first

Don't immediately pull your new bulletproof vest to stop the bullet. When the rules are added in the production environment:

AWS Amazon Cloud Pay-as-You-Go

A big move to avoid pits: first change the Action of all newly added Managed Rules to Count.

In this mode, WAF will not really intercept a suspect request when it is found, but will only stamp a "suspect" in the log to allow the request to continue to pass.

Run for 3 to 7 days and go to the console to view WAF CloudWatch sampling logs (Sampled requests). If it is found that the normal operation of many normal users is also stamped, explain

The rules are overreacting. At this time, you can Exclude (exclude) specific sub-rules in the console, wash the accidental killing, and then formally switch the Action to Block.

2. Accurately open up the "green channel (IP white list)"

If your company has a special partner or the public IP of the internal office area needs to call the interface frequently, don't let them queue up with hackers to pass the security check.

Manually create an IP Set in WAF and enter your company's fixed public network IP.

Add a custom rule to the Web ACL: if the request comes from this IP Set, the Action is directly set to Allow (release), and the priority (Priority) of this rule is raised to the top position 0. In this way, the internal flow can directly brush the face into the arena.

Stage 3: See the billing ledger of AWS WAF (is it expensive?)

AWS WAF billing is very refreshing, it does not have any hidden server overhead, using.

Fixed base fee Flow handling fee

The mode:

Web ACL base fee: Each web ACL is charged a fixed $10 per month.

Rule (Rule) fee: For every rule you add to the web ACL (such as checking a CRS set or writing a speed limit rule yourself), you charge $1 per rule per month (most of the managed rule sets that AWS comes with are free of charge and do not add extra money).

Request processing fee: True flexible spending, $0.60 per 1 million requests processed.

💡A small case of actuarial ledger: suppose you build a Web ACL and hang up 3 basic official rules plus 1 speed limit rule (4 rules in total), your website has a total of 20 million requests a month. Fixed monthly rent:$10 (ACL) $1*4 (Rules) = $14 request fee:(20 million/1 million) * $0.60=$12 total bill: only $26 (about 180 yuan) a month. With the money of two movie tickets, we hired a top digital bodyguard who was close-fitting and tireless for 24 hours to protect the company's core business.

Summary and self-defense formula

In modern cloud-native architectures, it is extremely dangerous and backward to pin security defenses on back-end code. With AWS WAF, we 've accomplished the feat of scrubbing malicious traffic right at the outermost edge of the network. Finally, I'll give you four WAF formulas that veterans are using:

The first padlock at the entrance: WAF hangs in front of ALB or CDN, and the edge of the hacker probe is cut off.

Official hosting is fully ticked: CRS, SQLi plus injection, and mainstream vulnerabilities are filled with one click.

Speed limit rule pressure brush amount: sensitive interface set red line, malicious crawler flash directly.

Count before B

Lock: Don't be careless about production release, look at the log before upgrading.

AWS Amazon Cloud Pay-as-You-Go