It’s one of the organization which provides an online visa appointment scheduling platform for its clients, wherein the users log in to their web
portal to book an appointment once the booking window is opened.
A specific booking window has defined available slots and the booking window details are published to users in advance.
Some of the visa appointment scheduling gets opened quarterly bases and hence huge amount of web traffic hit to their Application server.
We have reviewed the Application work flow in detail and have come up with a strategic solution to address the problem. Below WAF policies were recommended.
BOT PRETENDER POLICY RULES: Blocks bad bots which are pretending to be legitimate bots. This ensures genuine bots are not blocked but prevent any bots impersonating legit bots like fake search engine (Google, Baidu, Yandex) bots from crawling, stealing sensitive information, exploiting vulnerabilities, etc.
SECURITY SCANNER/EXPLOITATION TOOLS/ WEB CRAWLER/SCRAPER DETECTION RULES : Block connection or IP based on checks User Agent, request header, filename/argument etc. This is to block attacks from known vulnerability scanners (like Nessus, Nikto, Acunetix, etc.), exploitation tools (), etc. Also prevent from tools, scripting/generic HTTP clients which crawl the websites to scrape sensitive information by the attacker to perform further attacks.
IP REPUTATION RULES : Block bad reputed IP based on the source IP is Spammer, Suspicious, Search Engine, Harvester, etc. The reputation of the IP address is analysed using the Project Honey Pot system which identifies the reputation through efficient DNS lookups, mail servers against various black lists.
CLI AND/OR GUI BASED AUTOMATION DETECTION RULES :
COOKIE CHALLENGE BASED POLICY RULES :
Block non-browser based suspicious traffic. Block IP/User when WAF injected cookies are missing or mismatch detected. For eg:
HTML WEB FORM CHALLENGE BASED POLICY\RULES : Block browser/web-GUI based suspicious traffic. Block IP/User when WAF injected form field value manipulation (Web Parameter Tampering) detected. For eg:
CAPTCHA PROTECTION BASED POLICY RULES : Block malicious bot traffic. Google Re-Captcha introduced for the first page. By default, it does not allow when wrong input provided. For eg: block IP for 5 mins for 3 incorrect attempts.
ADVANCED DDOS RATE LIMITING POLICY RULES: Block suspicious traffic by throttling incoming requests. Block IP/Cookie based on User and Non-User threshold-based rate limiting rules. For eg:
BRUTE-FORCE RATE LIMITING POLICY RULES: Block suspicious traffic using brute-force technique. Block IP/User based on Incorrect Login/ Captcha attempts.
INPUT VALIDATION POLICY RULES : Block suspicious user traffic. Block Connection based on Incorrect Login/Captcha attempts.
BLACKLISTING/WHITELISTING POLICY RULES: Block or control suspicious traffic based on real time monitoring. Block or Allow requests from IP/Geo-location/URI/Client based on configuration.
ANOMALY/ABNORMAL BEHAVIOR DETECTION RULES: Block IP based on abnormal behavior in real time. Self-learning intelligence rules are written based on continuous monitoring of threat detection that incorporates threat intelligence to help protect from malicious attacks/suspicious activities. These rules are built based on the accumulated dataset, threat score to check unusual application traffic patterns grouped around common parameter over time period to identify anomalies.
The above WAF policies were built, simulated by our Security experts and were activated in the production. Below observations were concluded during actively running appointment booking window.