Introduction of Application Security
In today’s digital landscape, internet-facing websites (or applications) are crucial for the online presence of businesses, organizations, and individuals. However, due to an increase in cyber threats, such as DDoS attacks, it is more important than ever to protect these digital assets.
What does Cloudflare do?
Cloudflare is a content delivery network (CDN) and web application firewall. It offers website optimization, security, and performance services. Acting as a mediator between a website’s server and its visitors, it enhances the speed and reliability of the website and shields it from online threats. Cloudflare provides a robust platform equipped with a wide array of tools tailored to strengthen websites against numerous threats, all the while enhancing their performance and reliability.
Why is Cloudflare Necessary?
- DDoS Protection: Distributed Denial of Service (DDoS) attacks can devastate websites, making them unreachable for valid users. Cloudflare’s globally distributed network operates as a buffer, absorbing and mitigating DDoS attacks before they can affect your origin server. This guarantees your website’s uninterrupted accessibility.
- Web Application Firewall (WAF): Malicious entities often aim for websites with web application vulnerabilities. Cloudflare’s WAF offers a defense layer by inspecting and filtering incoming web traffic. It blocks harmful requests and guards against common dangers such as SQL injection, cross-site scripting (XSS), and more.
- Content Delivery Network (CDN): Cloudflare’s CDN speeds up the delivery of static and dynamic content by caching it on servers located strategically worldwide. This not only decreases latency and improves loading times, but it also enhances resilience by spreading traffic across multiple points of presence.
- SSL/TLS Encryption: In a time where data privacy is crucial, encrypting data during transit is a must. Cloudflare provides robust SSL/TLS encryption, ensuring that sensitive information exchanged between users and your website stays secure from unwanted scrutiny.
- Bot Management: Bots can be either useful or harmful, but telling the difference can be difficult. Cloudflare’s Bot Management features use machine learning algorithms to identify and mitigate malicious bot traffic, shielding your website from automated attacks and fraud.
- DNS Management and Security: Your website’s DNS infrastructure is vital for its availability and performance. Cloudflare’s DNS management features ensure not only fast and reliable DNS resolution but also include security enhancements like DNSSEC and DDoS protection for your DNS infrastructure.
Getting Started With Cloudflare:
- To start integrating your website with Cloudflare, the user needs to signup for a cloudflare account by navigating to the following URL – https://dash.cloudflare.com/sign-up
- Add your website by navigating to the ‘Websites’ section and click on the ‘Add a Site’ button.
- Enter the root domain name and click on the continue.
- Select the plan as per your requirements.
- The cloudflare will provide the Name Server records that needs to added to the domain DNS records.
- Once the name servers are added and Cloudflare verifies the records, you are ready to secure your domain using Cloudflare.
Enabling Proxied DNS Records:
- Log in to your Cloudflare dashboard and select the domain for which you want to enable proxied DNS records.
- Navigate to the ‘DNS’ section.
- Here, you’ll see a list of your DNS records.
- If the proxy status is set to ‘DNS only’, it means that the traffic is not routed through Cloudflare.
- To enable Cloudflare’s proxy services for a record, click the edit button and enable the proxy status.
- Confirm the changes and Cloudflare’s proxy services are now active for that record.
Advantages of Proxied DNS Records:
- DDoS Protection: Cloudflare’s proxy services reroute incoming traffic through their network to protect your website from DDoS attacks by filtering out malicious requests.
- Increased Performance: Cloudflare’s CDN caches static content close to your visitors, improving site load times.
- Enhanced Privacy: Enabling Cloudflare’s proxy services hides your server’s IP address, offering added privacy protection.
- SSL/TLS Encryption: Cloudflare ensures secure server-visitor communication by providing SSL/TLS encryption for proxied DNS records.
How to Prevent WAF Bypass using Direct Origin IP Access?
- Whitelist WAF IP Addresses: Configure your firewall or security group to allow incoming traffic only from your WAF’s IP addresses. This approach ensures your origin server only receives traffic filtered through the WAF. Most WAF providers offer a list of IP ranges for this purpose.
- Use Network Security Groups: Implement network security groups (NSGs) or similar features from your cloud service provider to restrict origin server access to specific IP addresses or ranges, including your WAF’s IP addresses.
- Implement IP-based Access Control Lists (ACLs): Configure your web server or reverse proxy to only accept connections from your WAF’s IP addresses. For instance, if you’re using Nginx, you can set up IP-based access controls in your Nginx configuration file.
DDOS Protection
Cloudflare has DDOS protection enabled automatically on the websites, but the user can override the default DDoS protection provided by the Cloudflare and write the custom rule sets:
- Go to the DDoS module under the security section.
- Click on the ‘Deploy a DDoS override’ button.
- Create a DDoS rule depending on the website incoming traffic. For example: if you want to block the user who is performing the DDoS attack, you can select the rule set action as block.
BOT Fight Mode
- Go to Bots section under the Security module.
- Enable the ‘Bot Fight Mode’ to mitigate automated traffic coming from bad bots.
Cloudflare Managed Rule Sets
Cloudflare’s comprehensive platform integrates seamlessly with managed rulesets, further enhancing website security. These meticulously curated sets of rules are specifically designed to fortify defenses against an extensive range of threats, augmenting the platform’s capability to safeguard websites while optimizing their performance and reliability.
Steps:
- Log in to the Cloudflare dashboard and navigate to the website.
- Navigate to the WAF module under the Security section.
- Navigate to the Managed rules tab.
- To protect the website against the OWASP vulnerabilities like SQL injection, XXE, SSRF, XSS, etc., add the following global rule – Cloudflare OWASP Core Ruleset which is pre-available by setting the anamaly score, OWASP level and action.
- Once the rule is added, the website is protected against the OWASP vulnerabilities at WAF level.
Recommendation:
- Before setting the OWASP action to block or managed challenge, it is recommended to keep the action to Log for few weeks and monitor the events. There might be high chances that some of the APIs or legitimate requests will be marked as malicious by the Cloudflare global rules. The recommended way is to first add the rule with the action set to log and then monitor the traffic. If there is any API which is matching the above rule, then set a custom rule for the API or request. If there is no API matching the managed rules, then we are good to set the action to Block.
- It is always a good security practice to fix the vulnerabilities at the code level instead of completely depending on the WAF. WAF acts as a first line of defense but the vulnerabilities should actually be fixed at the code level.
Zone Lockdowns
Zone Lockdown is a feature provided by Cloudflare that allows website owners to restrict access to specific URLs or paths, effectively creating a virtual “lockdown” for those areas of their website.
This feature is particularly useful for limiting access to sensitive parts of a website, such as administrative interfaces, private APIs, or internal applications to authorized users only.
Steps to enable zone lockdown:
- Log into the Cloudflare dashboard and select a website.
- Navigate to the WAF module under the Security section.
- Go to the Tools tab.
- If you wish to restrict the admin application or staging environments to the internal environment or organization VPN, create a zone lockdown rule. Use URLs such as staging.company.com/* and company.com/admin and set the IP ranges to the internal IP ranges or VPN IP address.
- After adding the zone lockdown, Cloudflare will display an access denied error message if a user tries to access the admin page and the zone lockdown rule is not met.
Site-Wide Rate Limit Rule
It is always recommended to add a site wide rate limit rule to protect the website from heavy traffic.
Steps:
- Log into the Cloudflare dashboard and select the relevant website.
- Go to the WAF module found under the Security section.
- Proceed to the Rate Limiting Rules.
- Create a rate limit rule using the website hostname as the host name.
- Define the requests threshold per period and the block duration according to business needs, then deploy the rule.
- Once this rule is in effect, Cloudflare will respond with a 429 status code error message if a user reaches the rate limit.
Recommendation:
- We recommend setting the action to log for a few weeks to monitor traffic, as there may be an internal instance that needs to send a large number of requests. If such an API exists, add the host IP to the logic to exclude it from the rate limit rule.
- We can create a rate limit rule for the APIs which trigger the SMS or Emails. The WAF acts the first line of defense to prevent an attacker from abusing the SMS quota but the best way to protect against the vulnerabilities is by fixing it at the code level.
Bad ASN Block Rule:
Cloudflare allows you to block traffic from specific Autonomous System Numbers (ASNs) identified as problematic or malicious. This is useful to protect your website from attacks where multiple cloud instances are used to send a large number of requests.
Here are the steps:
- Log into the Cloudflare dashboard and select the appropriate website.
- Navigate to the WAF module located in the Security section.
- Create a custom rule. Set the field to AS Num, the operator to is in, and the value to the list of undesirable ASNs.Link to the list of bad ASNs on Github: https://github.com/brianhama/bad-asn-list
- Set the action to ‘Managed Challenge’.
- After setting the rule, any incoming requests from IP addresses on the list of bad ASNs will be presented with a managed challenge.
Note:
It is recommended to review the ASN list before adding it to the rule. The list may includes ASNs related to Amazon and Google, which are widely used cloud service providers. If these are included in the bad ASN rule, your internal applications or instances running on AWS or Google could be blocked.
Geo-Blocking Rule:
In this era where cyber warfare is prevalent, hackers from one country often target the websites of their adversaries. Therefore, it’s recommended to identify the locations of your company’s customers and block access from countries where you don’t anticipate having clients.
Here are the steps:
- Log into the Cloudflare dashboard and select the appropriate website.
- Navigate to the WAF module located in the Security section.
- Create a custom rule. Set the field to Country, the operator to is in, and the value to the list of countries to block.
- Once the rule is added, Cloudflare will block the requests coming from the blocked countries list.
Monitoring and Analytics:
Monitoring and analytics are vital components of website management and security. Cloudflare provides robust tools for tracking website traffic, security events, and performance metrics.
- Traffic Analytics: Cloudflare provides detailed insights into your website’s traffic patterns, including request volume, visitor geographic distribution, and the types of devices accessing your site. This information is accessible through the Cloudflare dashboard, helping you understand your audience and optimize your content delivery strategy.
- Security Event Logging: Cloudflare logs security events like firewall rule matches, bot detection, and threat analysis results. By reviewing these logs, you can identify and respond to potential security threats in real-time, ensuring your website’s integrity and protection against malicious activity.
- Alerting and Notifications: Cloudflare enables you to set up custom alerts and notifications based on predefined thresholds or security events. For instance, you can receive an alert when your website experiences a sudden traffic increase or when a security rule is triggered. These alerts keep you informed about potential issues, allowing you to take proactive measures to address them.
While the Web Application Firewall (WAF) serves as a crucial first line of defense, protecting your website against the OWASP Top 10 threats, it is equally important to address these vulnerabilities directly at the code level. Implementing WAF can mitigate risks, but long-term security depends on thoroughly fixing underlying code issues to ensure robust and comprehensive protection.