April 26, 2022
Nexusguard’s Application Protection (AP) platform enforces three core mitigation engines, namely NetShield, AppShield and Web Application Firewall (WAF), to protect web and TCP applications against L3/4 and L7 attacks, as well as OWASP Top 10 threats. In this blog post, we will talk about the recent enhancements made to AppShield, especially the suite of mitigation tools available to policy administrators and SOC (Security Operations Centre) teams when handling DDoS attacks.
Connection-oriented protocols like HTTP(S) can be difficult to defend because obtaining the full picture of a transaction requires interaction with the protected server. AppShield stands in for that server in the initial stages of a transaction, such as TCP three-way handshake, in order for AppShield to inspect and filter HTTP- and HTTPS-level content.
With AppShield, the request string, method, query parameters, headers and body content become trivial to parse and inspect. Through this inspection we can spot anomalies in the header values and create the mitigation rules needed to block the bad traffic. AppShield also has features that allow us to verify various types of clients. After the engine inspects and drops bad requests, legitimate requests go back to the protected servers to be handled by their applications.
Nexusguard Mitigation Tools: L7 - AppShield
Refined Visibility and Control
For ease of management, better visibility and greater control, both the detection policy and mitigation policy together with its various mitigation filters are managed separately in the Overview page under the AppShield tab.
Figure 1 - AppShield Overview Page
Clearly Defined Detection Policies
The detection policy is segregated from other mitigation filters and presented in a standalone page for the sake of clarity with clearly defined rules and terminology.
Figure 2 - AppShield Detection Policies
Improved Transparency
Traffic graphs are added to AppShield to help improve the transparency of requests handled by each of the mitigation filters.
Figure 3 - AppShield Traffic Graphs
Portal users can choose from a selection of views as follows:
1. Summary is an aggregated view of the total traffic being processed by the AppShield engine when enabled. The graph shows the total clean traffic and attack traffic while allowing the portal user to also view the traffic data in either bandwidth or request / sec.
Figure 4 - AppShield Summary View
2. Per Filter View shows the traffic being processed by each mitigation filter. As the mitigation filters are processed in sequence, the traffic output from filter 1 is the traffic input to filter 2. At the time of attack, attack traffic is dropped sequentially as it travels through the series of mitigation filters.
Figure 5 - AppShield Per Filter View
3. Per Filter Rule View Taking the Allow/Blocklist mitigation filter as an example, the policy administrator can configure and enable IP Allowlist, IP blocklist and Mobile Bypass rule simultaneously to block an attack. Using the Per Filter Rule View allows the policy administrator to inspect the mitigation effectiveness of each of these rules when applied independently, alleviating the need for further fine tuning.
Furthermore, two additional mitigation filters are added to the comprehensive suite of AppShield mitigation filters:
1. Slow HTTP attacks are denial-of-service (DoS) attacks whereby attackers send HTTP requests piece by piece at a slow pace to a web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. The server’s concurrent connection pool eventually reaches its limit, creating a DoS. To mitigate Slow HTTP attacks, Nexusguard’s Application Protection (AP) is reinforced by the addition of a “Slow Rate” mitigation filter, composed of three operation modes that ensure slow HTTP requests are blocked when detected.
2. RangeAmp attacks exploit the incorrect implementations of the HTTP range requests attribute by manipulating CDN servers to amplify traffic towards destination servers and ultimately overwhelm targeted sites. To safeguard against RangeAmp attacks, Nexusguard’s “Range Amp” mitigation filter is designed specifically to mitigate invalid requests that exploit this vulnerability.
Enhanced HTTP Authentication
HTTP Authentication consists of two parts as follows:
1. IP Authentication is a source based policy acting on the total requests per source IP. Should the threshold be exceeded, the rate limit or blocking rules are applied as per the policy administrator’s choice.
Two additional attributes, namely Unique User Agent Counter and Unique User ID Counter, are added to improve detection accuracy as well as providing more granular control to the mitigation process.
Figure 6 - IP Authentication
2. HTTP Authentication is a destination based policy acting on the total requests to the destination target. Once the threshold is exceeded, HTTP Challenges is activated for all users’ requests.
Two enhancements made to this filter are as follows:
a. Exceptional Case Handling - certain scenarios may cause the HTTP Challenges to not function as intended, e.g. the use of non-browser clients, mobile devices, API calls, etc. Bypass List and HTTP Redirect Challenge are incorporated to address these cases.
Figure 7 - HTTP Authentication
b. HTTP Challenges - methods used to automatically mitigate HTTP based DDoS attacks are enhanced with the addition of the following 4 modes:
i. OFF - No challenge
iii. Domain - Activate / filter per destination domain
iv. Smart - Auto select between source and domain
Figure 8 - HTTP Challenges
Customized configuration for domain authentication is not required as it follows the values set in the detection policy.
For most use cases, it is recommended that Nexusguard Smart Mode is applied whenever HTTP Challenges are called into action.
Nexusguard’s DDoS mitigation technologies are constantly updated and enhanced to keep abreast with the latest cyber threats, so that you and your customers are always protected against new types of attacks.
For further information, please read about Nexusguard’s Application Protection.
