Combine AWS WAF with reactive infrastructure to block attackers (and don't go broke in the process)

Paul SANTUS - Jan 5 - - Dev Community

AWS WAF is a really powerful security service, that will protect your internet-facing applications against the most aggressive attackers.

WAF is generally quite cost-effective. However, as I mentioned in the first blog post in this series, some advanced WAF rules, such as Account Theft Protection, are 1,000 times more expensive than basic rules.

Today, I'm excited to announce I just open-sourced the WAF-Ja3FingerPrint-Blacklist Terraform module that will help you combine AWS WAF with reactive infrastructure, so you can take the most of AWS advanced rules with not going broke.

How does the WAF-Ja3FingerPrint-Blacklist Terraform module work?

The basic idea behind the module is to detect when an expensive WAF rule, such as the ATP rule, has repeatedly blocked an attacker. When it has, we analyze the AWS WAF logs to extract the Ja3FingerPrint of blocked requests.

Architecture diagram of the solution

We then add the Ja3FingerPrint to a WAF rule group, that acts as a Black/block list and which you can add to your WAF ACL before the expensive rules, so that it takes over the traffic.

When the Ja3FingerPrint is added to the blacklist, it takes over the traffic

When their traffic gets blocked systematically, the attackers often stop attacking after a short while, because forging HTTP requests over TLS is quite expensive for them too!

The whole process is fully serverless and orchestrated via a Step Functions state machine and two Lambda functions

The Step Functions worklow

What is Ja3FingerPrint?

As the AWS Documentation explains:

The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration

Even if the attack comes from multiple IP addresses (which is the case for DDoS attacks, or when the attacker uses this strategy to avoid rate-based rules), if they use the same technical stack, the requests will consistently have the same Ja3FingerPrint.

One important caveat: Ja3FingerPrint is not specific enough to be certain only 1 single user will get blocked. This is why the module applies the block only for a short period of time, on a fraction of labelled traffic, and will only block fingerprints that have been matched multiple times before.

How much does it save? and how much does it cost?

The cost is negligible! The Step Functions state machine does 6 state transitions; Lambdas run for 700ms and 1600ms, so blocking an attack will cost you $0.0035 if you ever reach the free tier.

In the above CloudWatch metrics diagram, the ATP rule would cost $1 every 2 minutes (~500 requests/min * $1/1000 requests). When the WAF-Ja3FingerPrint-Blacklist is on, you only have to sustain this effort for a few minutes (until the WAF logs are ingested and available) before the blocklist kicks in!

By implementing reactive infrastructure, i.e. the dynamic reconfiguration of the Rule Group based on actual traffic forensics, you don't have to pray that the attacker stops dropping requests on your app before your budget is exhausted. Instead, you enhance your response to attacks in a cost-effective way!

I hope this helps you keep your apps secure!

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .