Filtering out suspicious traffic from web app and API

[koeks525]

Hey everyone,

I been looking around to see what options one has with respect to filtering out suspicious traffic on the web app, and the API. I know Cloudflare offers a wide range of services around this... wanted to see if there are free or super affordable options for a small app. I built up a VueJS app; I already have reCAPTCHA on the app. I have a .NET based backend (ASP.NET Core).

If I think about this abstractly, some of the options I have is to filter out traffic that comes from some well-known, and updated list of suspicious IP addresses (eg: those used for open proxies, or scrapers). There are also some best practices I need to ensure I am not violating (ensure adherence to OWASP's top 10 threats, ensure cloud server is configured properly, ensure credentials I use have the minimum required permissions to perform, etc). Not sure if DoS is something to worry about for a small app. I wish there was some middleware I could register, which "magically" filters traffic from suspicious IPs, hehehe.

My question is, for those of you who have built apps, and wondered about application security, what app security services and stategies did you incorporate into your app?

 

[WAslayer]

You should look at a WAF, ModSec is a open source WAF that's pretty popular..

 

[_kabal_]

Nginx bad bot blocker is decent, especially if you are already using it as your reverse proxy

GitHub - mitchellkrogza/nginx-ultimate-bad-bot-blocker: Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jai

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail f...

github.com

 

[Pho3nix]

Nginx bad bot blocker is decent, especially if you are already using it as your reverse proxy

GitHub - mitchellkrogza/nginx-ultimate-bad-bot-blocker: Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jai

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail f...

github.com

Basically this or CloudFlare would be your easiest options. AWS and Azure have options but definetly not free.

You could look at AWS Amplify for full hosting and if I remember right first year is free. WAF would be a bit easier then as well.

 

[Solarion]

IP Blacklisting services so a start for nipping bad ones in the bud from the get go.

 

[Praemon]

Unless it's a hobby, I'd highly recommend using a paid for cloud-based WAF. The main advantage is the traffic can be blocked BEFORE hitting your server, thereby significantly reducing wasted resources. It helps to obscure your server's IP address and you can restrict connections to those only from the WAF/CDN (should always be done). It will also take care of keeping up to date with OWASP, etc. depending on the package.

I haven't personally tried Cloudflare, but AWS and Azure both work well and there's a number of custom rules you can set (but you pay per rule). If you can't afford it (and it's not critical), then you'll want something on the webserver layer like Apache's ModSecurity.

 

[RonSwanson]

You are wishing what every developer wants. It does not exist.

1. Write secure code.
2. Test your code using SAST / DAST / IAST /RAST. Moderate the reports and fix the issues. You will have less work if you did #1 properly. Rinse and repeat every major release.
3. If it is a high value / risk app, get a proper pentester to do a proper pentest. Fix the issues before deploying. Rinse and repeat every major release.
4. Only after you have done 1-3, consider other tools / services. Ask yourself the question: Is there a business need to allow TOR exit nodes to hit my app? If not, then blacklist them. The same with known open proxies. And if you only have a handful of clients with fixed IPs, consider whitelisting. Use GCP Event Threat detection and Cloud Armor (without the WAF).
5. WAFs are good, but IMHO those provided by AWS / Azure / GCP are typically "compliance" WAFs, you deploy them to get the compliance officer to tick the box. They won't help secure a badly coded app. Far better to deploy Mod Security, and also inspect TLS traffic. Customise the rules to suit your app. The cloud providers' WAFs are slowly getting better, and allow for better tool integration, but today are not as good as your own. Plus as they get better, they become handcuffs. You will learn new skills, and become a regular expression boffin. You will also then be able to defend against 0-day threats with customised rules.
6. Use a tool like Chef InSpec to regularly scan and monitor the config and compliance of your cloud components.