Protect Your Rails Apps from Bots, Scrappers and DDoS attacks

Background

I got the monthly bill from Amazon for $14, then $18 for CDN. The unwanted bots was wasting my bandwidth. By looking at the production log files I realized that I needed to prevent my web server from being flooded by unwanted requests, scanning tools, bots and scrappers. From How to Configure Rate-Based Blacklisting with AWS WAF and AWS Lambda

The main objective of this kind of distributed denial of service (DDoS) attack, commonly called an HTTP flood, is to overburden system resources and make them unavailable to your real users. You can use AWS WAF to provision a solution that automatically detects unwanted traffic based on request rate, and then updates configurations of AWS WAF (a web application firewall that protects any application deployed on the Amazon CloudFront content delivery service) to block subsequent requests from those users.

You can protect your Rails webapps from common web exploits that could affect application availability, compromise security, or consume excessive resources. I use AWS WAF since I already use Cloudfront for CDN. I am hosting my Rails webapp on Linode. It took me about two hours to configure and deploy the first version. From AWS WAF home page:

AWS WAF is a web application firewall that gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

Rack Attack Gem

My first solution used rack-attack gem to prevent bots from wasting bandwidth. I had to manually run the commands in the production rails console to ban IPs:

Rails.cache.write('block 1.2.3.4', true, expires_in: 5.days)

The rack initializer would then block this IP:

Rack::Attack.blacklist('block <ip>') do |req|
  # if variable `block <ip>` exists in cache store, then we'll block the request
  Rails.cache.fetch("block #{req.ip}").blank?
end

It becomes tedious to keep analzying the logs manually and it bloats the Rails app with security related code. I want my Rails app to focus on application logic, ideal solution is to use AWS Lambda with AWS WAF to automatically ban IPs. In this article, I will walk you through how I configured by following the AWS Webinar found in youtube Setup Preconfigured Protections on AWS WAF .

AWS WAF

Go to Cloudformation

You will see the Create Stack screen

Go to AWS Tutorials page

Click on Deploy Solution

Right click the download the template link.

This template contains list of known attacker IPs.

Copy the link

Paste it in the template URL text field

Click Next

Give a name for the stack

Accept the defaults for the protection list

Enter a bucket name for the access logs.

If it does not exist, it will be created for you.

Accept default values.

Click Next for all the screens till you get to this screen:

Click on the check box and click Create.

This will take you to the following screen.

It will take about 15 minutes for this to complete.

Go to WAF

Click on the link listed in the table.

You can see the Rules

Go to Cloudfront

Select the Cloudfront used by your Rails app.

You will see this screen:

Click on the AWS WAF Web ACL dropdown

Select the WAF you created earlier

Select the logging to on and provide bucket for logs in this screen:

Click on Yes, Edit button

You will see the following screen:

It will take some time for this to complete. You can now view the logs to see what requests were allowed and you are ready to customize this even further by using AWS Lambda. After a few hours you will feel the difference in the log files and also when you use the Rails app, since WAF prevents attackers from wasting your server CPU.

References


Related Articles

Watch this Article as Screencast

You can watch this as a screencast Protect Your Rails Apps from Bots, Scrappers and DDoS attacks


Create your own user feedback survey