Protecting your Website Against Attacks Using Web Application Firewall

Background

Nasir launched a website to enable the public report any case of human trafficking. Since the launch, there has been series of attacks against the website. He does not know how to protect against these types of attacks because he is not a security expert.

 Introduction

In this tutorial, we will show you how to use CloudFlare’s free tier service to protect your web servers against ongoing HTTP-based DDoS attacks by enabling “I’m Under Attack Mode”. This security mode can mitigate DDoS attacks by  verifying the legitimacy of a connection before passing it to your web server.

Prerequisites

This tutorial assumes that you have the following:

  • A web server
  • A registered domain that points to your web server
  • Access to the control panel of the domain registrar that issued the domain

You must also sign up for a CloudFlare account before continuing. Note that this tutorial will require the use of CloudFlare’s nameservers.

Configure Your Domain to Use CloudFlare

Before using any of CloudFlare’s features, you must configure your domain to use CloudFlare’s DNS.

If you haven’t already done so, log in to CloudFlare.

Add a Website and Scan DNS Records

After logging in, you will be taken to the Get Started with CloudFlare page. Here, you must add your website to CloudFlare and Begin Scan:

The next page shows the results of the DNS record scan. Be sure that all of your existing DNS records are present, as these are the records that CloudFlare will use to resolve requests to your domain. In our example, we used cockroach.nyc as the domain:

Note that, for your A and CNAME records that point to your web server(s), the Status column should have an orange cloud with an arrow going through it. This indicates that the traffic will flow through CloudFlare’s reverse proxy before hitting your server(s).

Next, select your CloudFlare plan.

Change Your Nameservers

For Godaddy users you can point your cloudflare nameservers from Godaddy by following this process.

Wait for Nameservers to Update

The Pending status means that CloudFlare is waiting for the nameservers to update to the ones that it prescribed (e.g. eva.ns.cloudflare.com and matt.ns.cloudflare.com). If you changed your domain’s nameservers, all you have to do is wait and check back later for an Active status. If you click theRecheck Nameservers button or navigate to the CloudFlare dashboard, it will check if the nameservers have updated.

CloudFlare Is Active

Once the nameservers update, your domain will be using CloudFlare’s DNS and you will see it has anActive status, like this:

Recommended First Steps for All CloudFlare Users. This is important to ensure that CloudFlare will allow legitimate connections from services that you want to allow, and so that your web server logs will show the original visitor IP addresses (instead of CloudFlare’s reverse proxy IP addresses).

Once you’re all set up, let’s take a look at the I’m Under Attack Mode setting in the CloudFlare firewall.

I’m Under Attack Mode

By default, CloudFlare’s firewall security is set to Medium. This offers some protection against visitors who are rated as a moderate threat by presenting them with a challenge page before allowing them to continue to your site. However, if your site is the target of a DDoS attack, that may not be enough to keep your site operational. In this case, the I’m Under Attack Mode might be appropriate for you.

If you enable this mode, any visitor to your website will be presented with an interstitial page that performs some browser checks and delays the visitor for about 5 seconds before passing them to your server. 

Note: Keep in mind that you only want to have I’m Under Attack Mode enabled when your site is the victim of a DDoS attack. Otherwise, it should be turned off so it does not delay normal users from accessing your website for no reason.

How To Enable I’m Under Attack Mode

How To Disable I’m Under Attack Mode

As the I’m Under Attack Mode should only be used during DDoS emergencies, you should disable it if you aren’t under attack. To do so, go to the CloudFlare Overview page, and click the Disable button:

Conclusion

Now that your website is using CloudFlare, you have another tool to easily protect it against HTTP-based DDoS attacks. There are also a variety of other tools that CloudFlare provides that you may be interested in setting up, like free SSL certificates. As such, it is recommended that you explore the options and see what is useful to you.

Good luck!


Continue the conversation.


Visit forum.safeonline.ng to post comments and get advice from a community of security experts

Read next article Secure Coding Practices

Summary steps

  • Immediately you notice your website/web application is under attack, quickly activate your “I am Under Attack” mode on CloudFlare.

Useful links

http://www.slideshare.net/StanleyTan6/setting-up-cloudflare-for-go-daddy

https://support.cloudflare.com/hc/en-us/articles/201897700

Related articles

Safe Backup and Data Storage

Nasir has been working on investigating AGA. He has gathered lots of evidence and saved it on his computer. Few days before giving his presentation to his editor in chief his computer crashed and he has lost all his documents and project. He could have backed the documents up before the computer crashed.

DDOS Attacks and How to Prevent Them

Chidinma has been trying to get on The Way Forward site for about 20 minutes but it isn't loading. She checks with the security department and she is informed her that they're under attack.

Secure Coding Practices

We would be sharing with you 12 secure coding practices that cuts across different programming languages and have over time, been proven to mitigate security risks that are associated with