ddos

AWS WAF automations

02-09-2019

A friend of mine suggested that I should write something about AWS WAF security automations. This is mentioned in the Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities whitepaper and there are plenty of materials about this solution on the net. So I thought, instead of writing about what it is / how to set it up, let have some funs ddos my own site and actually see how it works.

I’m going to try to break my site with 3 different methods.

1. http flood attack

My weapon of choice is PyFlooder.

After about 5000 requests, the lambda function started to kick in and blocked my access to the side. I can also see my ip has been blocked on WAF http flood rule.

I then removed the ip from the blocked list and onto the next attack.

2. XSS

Next up is XSS, input a simple <script> tag on to the uri and I got 403 error straight away.

3. Badbot

For this method I used scrapy. Wrote a short spider script to crawl my site, targeting the honeypot url.

1
2
3
4
5
6
7
8
9
import scrapy
class mySpider(scrapy.Spider):
    name='td-1'
    start_urls = ['https://blog.tdinvoke.net']
    def parse(self, response):
        for url in response.css('a::attr("href")'):
            yield {'url': url.extract()}
        for next_page in response.css('a[rel="nofollow"]::attr("href")'):
            yield response.follow(next_page.extract(), self.parse)

Release the spider!!!!

and got the 403 error as expected.

Issues encountered/thoughts:

  • Setting up the bot wasn’t easy as I expected, but I learnt a lot about scrapy.

  • I accidentally/unknowingly deleted the badbot ip list from the badbot rule. Only found out about the silly mistake by going through the whole pipeline (api gateway -> lambda -> waf ip list -> waf rule) to troubleshoot the issue.

  • PyFlooder is not compatible with windows os. Had to spin up a ubuntu vm to run it.

  • Learnt how to add file to source for Hexo. Not complicated at all, just chuck the file into /source folder. Do not use the hexo-generator-robotstxt plugin, I almost broken my site because of it.

  • Overall this was an interesting exercise - breaking is always more fun than building!

© 2024 tdinvoke