WAFs -v- Endpoint Plugins

I’ve been reading some misleading articles on the subject of Endpoint vs Cloud Security, most notably this from Wordfence . Ironically I have used Wordfence a lot, their free plugin is often my first choice as a recommendation for someone with a $10 a month hosting account that doesn’t want to spend an equal amount on security, it does a great job at protecting most sites from the most common brute force attacks and blocking vulnerability scanners. Godaddy actually pre-install a similar but lightweight (no bloatware) plugin, Limit Login Attempts on all new installations of WordPress, great for purpose.

But this latest post of theirs, discussing bypassing, is disingenuous in the extreme, we all know that’s easily mitigated and is actually quite rare to even see it. “Security” plugin vendors only like to talk about Layer 7 ddos attacks, which is obvious as that is the niche they have carved out for themselves and they really don’t handle them at all well which is quite ironic. And they offer zero answers for layer 3/4 attacks and again rely on the host, Where as a WAF (Website Application Firewall) such as Sucuri’s sucks it all up (L7 & 3/4) for you, often with clients never knowing anything about it. While relying on a “security” plugin alone, your host could be taking you offline or charging you for extra bandwidth.

You have to remember that any “security” plugin is using your sites precious resources for any of their filtering and mitigation, sometimes slowing the site down during regular browsing, which should be a worry for anyone concerned with SEO as Google, prefers faster sites.

But just so I had some evidence to back this up, I ran some tests, setting up 2 Ubuntu 16.04 servers at DigitalOcean with private networking enabled, one with a default install of WordPress, the Genesis theme and no other plugins and the other an attack platform with wrk installed, easily setup and run:

apt-get update
apt-get install git
apt-get install make
apt-get install gcc
apt-get install luajit
git clone https://github.com/wg/wrk.git
cd wrk
make ./scripts/WITH_LUAJIT=/usr ./scripts/WITH_OPENSSL=/usr
./wrk -t32 -c100 -d30s http://10.128.26.XX

Emulating a classic DDoS attack, here is how the attacks played out, rebooting between each attack, firstly before the attack was launched, I am showing 654260 available memory.

victim-no-load

Firstly I tried an attack by blocking all but Sucuri’s IPs using UFW (my prefered method), the attack had zero effect on the victim, available memory stayed the same, wrk just gave up, Then I tried again under load with Sucuri Firewall’s bypass prevention code added to the .htaccess,

<FilesMatch ".*">
 Order deny,allow
 Deny from all
 Allow from 192.88.134.0/23
 Allow from 185.93.228.0/22
 Allow from 2a02:fe80::/29
 Allow from 66.248.200.0/22
</FilesMatch>

in it’s simplicity it’s most peoples prefered option to prevent bypass and works in nearly all situations, unlike UFW/IPTables which wont. It wasn’t pretty, but the site stayed up, with available memory dropping to 561380, whilst serving 129279 403 block messages in 30 seconds.

victim-load-with-bypass-prevention

Then I removed the bypass prevention codes and hit the site with WordFence only in it’s default installation, and crashed the site in the first few seconds, responding to only 29 requests, before server timeout errors were served. With available memory dropping to 114228. notice also how the database is being effected, unlike where the bypass prevention codes were used.

victim-load-with-wordfence

I did run an attack head on at the site while it was behind the Sucuri firewall, the website didn’t see a thing, after a few 403 errors were served by the firewall, the IDS kicked in, and the victim would never have noticed. I also ran an attack against the “naked” site, this went down in 4 seconds.

For fun I attacked the WordFence alone protected site, but increased the time to 120 seconds, mySQL needed restarting to recover site function.

This was not a real DDoS attack of course, I only launched a single application from a single server, but a very good replication of one, it was crippling against Wordfence, as if it wasn’t even installed, it even behaved slightly worse than the naked site, while their suggestion is to pass that mitigation onto the host works, they do charge for that as an additional service, and in many cases just shut your site down due to excess resource usage, that would be the case for any hosting less than $30 a month.

I’d suggest that Wordfence have no understanding of the concept of defence in depth, and rather than complementing a real firewall, they are trying to make out that their plugin is the answer to all your WordPress security concerns, which it just is not, Daniel Cid, CTO of Sucuri discusses this dangerous marketing method.

Disclaimer, I do work for Sucuri as the Sucuri Firewall support team lead.

Reinventing the Web

Tim Berners-Lee
Tim Berners-Lee

We’ve seen some successful technical “reinventions” of the Web such as HTTPS/2 and HTML5 making sites faster and more responsive, but this “Web’s Creator Looks to Reinvent It” initiative is not new, but I will come to that later.

There are a number of issues that have concerned many people, not just in the IT Security industry, but many regular internet users.

Snowden’s leaks, whatever you may think of the rights and wrongs of him making these disclosures, the lengths government agencies go to snoop are a concern to anyone that understands them.

Facebook have been accused of meddling in US elections and Google has been caught out manipulating Brexit searches. There are many other cases, promises that they are not, it’s too complex to understand etc.. But really do you belive them, maybe you don’t care.

Google does have many alternatives, a couple are duckduckgo.com which addresses the bias and startpage.com which address the privacy issues, but neither have picked up many users, maybe if the close to half of English users who support leaving the EU were aware there was an alternative un-biased search engine they would use it. I tend to use Google a lot, as I use a lot of tools that they only have (Dorks etc.), But I am sure that is not the case of the loyalty shown by the majority of users, I think just familiarity and lack of knowledge of an alternative.

Facebook, now that’s an interesting one, they really have a monopoly in the Western world, there were a few competitors in the early days, but they are all gone now. Facebook has become a huge part of peoples lives, I default to skype if needing to contact friends or family, but there are some who will only respond to Facebook messenger contact.

There have been a number of open source alternatives, and to reinvent the Web as Tim Berners-Lee suggests an open source alternative to Facebook is what would be needed. The most upto date and vibrant alternative is the diaspora project, much of the initial funding came from Mark Zuckerberg (Facebook founder). It works, I have set up a few diaspora servers myself, but it is impossible now to unhook a large enough proportion of the population from Facebook, and get their involvement in anything else now, it is the nature of social networking.

Put it another way, not one of the top ten celebrities on facebook have a diaspora* account. I bet none in the top 100, but it would take me too long to confirm that.

I suspect that this very well meaning group of the technically able can create alternatives, but they do not have the ability to get people to switch over?

Enabling HSTS

HTTP Strict Transport Security is a very simple to deploy addition to HTTPS, it doesn’t enforce SSL itself but it uses pre-populated lists such as Google’s here.  Allowing clients browsers to check against, simply that the site only delivers content over https://, with no exceptions, this ensures that Man in the Middle attacks are not possible. While the only possible vulnerability this site would have had for an MitM attack would be on the contact me page, it’s nice to see the shiny A+ compared to my old banks B rating.

ssllaps-hsts

for me it’s just an exercise and vanity, but as you can see it will be nice when the banks follow suit, as they are mostly really insecure (don’t online bank on public WiFi, really don’t do it till they start employing HSTS and stop using insecure cyphers).

The steps to enable HSTS for Apache

Enable Headers and restart Apache:

$ sudo a2enmod headers
$ sudo service apache2 restart

Make sure the site is serving all content over https / port 443, either in your vhost config with something like:

<VirtualHost *:80>
 ServerName yourdomain.com
 Redirect permanent / https://yourdomain.com/
</VirtualHost>

or adding this to your .htaccess:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

Check for any mixed content issues (insecure stuff loading in your now secure page), this tester will point you in the right direction.

And again in the .htaccess, add the required header itself.

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>

15552000 is about 6 months in seconds, and satisfies the ssllabs tests, lower will work for Google, even as low as 6 weeks, but as enabling  HSTS is difficult to reverse, it will make little difference and you might as well earn an A+ rating.

Run a test at https://www.ssllabs.com/ssltest/analyze.html and check near the bottom for:

Strict Transport Security (HSTS) Yes
 max-age=15552000; includeSubDomains; preload

If you see that, all is good, add your domain to be included in the Google Chrome’s HSTS preload list here https://hstspreload.appspot.com/

All the other browsers “feed” from the centralised list, as of today I’ve not been added, there is no reason I won’t be.

CISSP PMP