CN112671698A - Method for preventing WAF from being bypassed in public cloud environment - Google Patents
Method for preventing WAF from being bypassed in public cloud environment Download PDFInfo
- Publication number
- CN112671698A CN112671698A CN202010825802.1A CN202010825802A CN112671698A CN 112671698 A CN112671698 A CN 112671698A CN 202010825802 A CN202010825802 A CN 202010825802A CN 112671698 A CN112671698 A CN 112671698A
- Authority
- CN
- China
- Prior art keywords
- waf
- server
- address
- public cloud
- cloud environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 239000000284 extract Substances 0.000 claims abstract description 7
- 238000012545 processing Methods 0.000 claims description 4
- 238000013459 approach Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method for preventing WAF from being bypassed in a public cloud environment, which comprises the following steps: s1, adding an IP1 of a server at the WAF end by an administrator, adding an IP2 of the WAF at the server end, and establishing the connection between the IP2 and the IP 1; s2, the WAF system acquires the current session total number m of the system every t time, the total number m is used for obtaining a numerical value n, and the WAF sends n to the server; s3, adding the server end and n by using IP2 to obtain IP3, and adding the WAF end and n by using IP2 to obtain IP 4; s4, adding a field x-forward-for IP4 into an http header by the WAF system at the WAF end; s5, at the server, the system extracts the IP4 address of the x-forward-for field, judges whether the request of the corresponding client is carried out by utilizing the IP4 and the IP3, and repeats the steps from S2 to S5. The method can effectively defend attackers from bypassing WAF to finish the attack behavior of the attack target by directly accessing the IP address of the target site.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for preventing WAF from being bypassed in a public cloud environment.
Background
WAF (Web Application Firewall), a system that provides protection specifically for Web applications by enforcing a series of security policies for HTTP/HTTPs;
in the existing topology, the traffic of a user accessing a target site www.test.com is firstly analyzed to a WAF cluster by a DNS server, and then the traffic is considered as a non-attack request by the WAF cluster detection and is forwarded to the target site, thereby realizing the protection effect of the WAF on the target site.
However, an attacker often obtains the IP address of the target site directly through various approaches and methods, and then directly accesses the target site by bypassing the WAF, thereby achieving the purpose of attacking the target site.
Disclosure of Invention
In view of this, the present invention is directed to provide a method for preventing a WAF from being bypassed in a public cloud environment, so as to solve the problem that various approaches and methods are used to directly obtain an IP address of a target site, and then bypass the WAF to directly access the target site, thereby implementing an attack on the target site.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method of preventing WAF bypassing in a public cloud environment, comprising the steps of:
s1, adding an IP1 of a server at the WAF end by an administrator, adding an IP2 of the WAF at the server end, and establishing the connection between the IP2 and the IP 1;
s2, the WAF system acquires the current session total number m of the system every t time, the total number m is used for obtaining a numerical value n, and the WAF sends n to the server;
s3, adding the server end and n by using IP2 to obtain IP3, and adding the WAF end and n by using IP2 to obtain IP 4;
s4, adding a field x-forward-for IP4 into an http header by the WAF system at the WAF end;
s5, at the server, the system extracts the IP4 address of the x-forward-for field, judges whether the request of the corresponding client is carried out by utilizing the IP4 and the IP3, and repeats the steps from S2 to S5.
Further, the process of obtaining the value n in step S2 is as follows: taking m units and tens, m units and tens have no value substituted by 0.
Further, the obtaining process of the IP3 and the IP4 in the step S3 is consistent, and the obtaining process is as follows: each segment bit of IP2 is incremented by n.
Further, the determination process in step S5 is as follows: the system firstly extracts the IP4 address of the x-forward-for field in the message, if the IP4 is equal to the IP3 address, the server normally corresponds to the client request, if the IP4 address is not equal to the IP3 address, or the x-forward-for field is not extracted, the request flow is judged to be the attack flow bypassing the WAF, and the server directly discards the request flow without processing.
Compared with the prior art, the method for preventing the WAF from being bypassed in the public cloud environment has the following advantages:
the WAF system calculates the value of an x-forward-for field by periodically acquiring the last two values of the total number of sessions, and simultaneously performs information negotiation with a specified target site in a mode of manual configuration by an administrator; the Server side judges whether the request flow is an attack flow bypassing the WAF or not by synchronously calculating and negotiating an IP address and extracting and comparing x-forward-for field values of an http message; the method can effectively defend attackers from bypassing WAF to finish the attack behavior of the attack target by directly accessing the IP address of the target site.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic diagram of a typical deployment mode of a WAF in a public cloud environment according to an embodiment of the present invention;
fig. 2 is a schematic diagram of bypassing the WAF to directly access the target site according to the embodiment of the present invention;
fig. 3 is code for implementing a method for preventing a WAF from being bypassed in a public cloud environment according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless otherwise specified.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art through specific situations.
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
A method of preventing WAF bypassing in a public cloud environment, comprising the steps of:
s1, adding an IP1 of a server at the WAF end by an administrator, adding an IP2 of the WAF at the server end, and establishing the connection between the IP2 and the IP 1;
s2, the WAF system acquires the current session total number m of the system every t time, the total number m is used for obtaining a numerical value n, and the WAF sends n to the server;
s3, adding the server end and n by using IP2 to obtain IP3, and adding the WAF end and n by using IP2 to obtain IP 4;
s4, adding a field x-forward-for IP4 into an http header by the WAF system at the WAF end;
s5, at the server, the system extracts the IP4 address of the x-forward-for field, judges whether the request of the corresponding client is carried out by utilizing the IP4 and the IP3, and repeats the steps from S2 to S5.
The process of obtaining the value n in step S2 is as follows: taking m units and tens, m units and tens have no value substituted by 0.
The obtaining process of the IP3 and the IP4 in the step S3 is consistent, and the obtaining process is as follows: each segment bit of IP2 is incremented by n.
The determination process in step S5 is as follows: the system firstly extracts the IP4 address of the x-forward-for field in the message, if the IP4 is equal to the IP3 address, the server normally corresponds to the client request, if the IP4 address is not equal to the IP3 address, or the x-forward-for field is not extracted, the request flow is judged to be the attack flow bypassing the WAF, and the server directly discards the request flow without processing.
The specific process is as follows:
1. an administrator needs to manually add and configure a target site server IP address 1 needing protection at a WAF end;
2. the administrator needs to manually add the address IP2 of the configured WAF at the destination site (server);
3. after the configuration is completed, the protection switch of the WAF is turned on, and then the WAF actively completes a TCP three-way handshake with the IP1 (the three-way handshake is to establish a connection between the IP of the WAF and the IP of the server, and the TCP three-way handshake is a conventional technical means in the art and is not described in detail here);
4. the WAF system acquires the current session total number m of the system every t time, and takes the units and tens of the m to obtain n (the number of the units without numerical values is filled with 0);
for example, m 123, then n 23; or for example m-3, then n-03;
5. after obtaining the value of n, the WAF simultaneously sends n to a target site server end;
6. the WAF system adds n to each segment bit of 4 segment bits in the IP2 of the WAF system to obtain IP 4; for example, if the IP address of the WAF system is 1.1.1.1, and n is 11, then the IP4 is 12.12.12.12 (note: the maximum value of each segment is 253, and if n is greater than 253, then 253 is calculated);
7. in the same step 6, the target site (server) end also calculates an IP3, that is, IP3 is equal to IP4, according to the n value of the WAF and the WAF address IP2 configured in step 2, using the same algorithm (note: only the WAF IP address manually added by the administrator in step 2 is completed by the server end, and otherwise, the step is not processed);
8. at the WAF end, all http traffic sent to the server end by the WAF system is added with a field x-forward-for IP4 in an http header by the WAF system;
9. at a target site (server) end, all received http messages are processed by a system, an IP address of an x-forward-for field in the messages is extracted firstly, if the extracted IP address is equal to IP3, the flow is judged not to be attack flow, and the target site (server) end normally responds to a request of a client; if the extracted IP address is not equal to the IP3 or the x-forward-for field is not extracted, the request traffic is judged to be attack traffic bypassing the WAF, and a target site (server) end directly discards the request traffic without processing;
10. the WAF system acquires the current session total number m of the system every t time, and then repeats the steps 4 to 9.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (4)
1. A method for preventing WAF bypassing in a public cloud environment, comprising the steps of:
s1, adding an IP1 of a server at the WAF end by an administrator, adding an IP2 of the WAF at the server end, and establishing the connection between the IP2 and the IP 1;
s2, the WAF system acquires the current session total number m of the system every t time, the total number m is used for obtaining a numerical value n, and the WAF sends n to the server;
s3, adding the server end and n by using IP2 to obtain IP3, and adding the WAF end and n by using IP2 to obtain IP 4;
s4, adding a field x-forward-for IP4 into an http header by the WAF system at the WAF end;
s5, at the server, the system extracts the IP4 address of the x-forward-for field, judges whether the request of the corresponding client is carried out by utilizing the IP4 and the IP3, and repeats the steps from S2 to S5.
2. The method of claim 1, wherein the WAF is bypassed in a public cloud environment by: the process of obtaining the value n in step S2 is as follows: taking m units and tens, m units and tens have no value substituted by 0.
3. The method of claim 1, wherein the WAF is bypassed in a public cloud environment by: the obtaining process of the IP3 and the IP4 in the step S3 is consistent, and the obtaining process is as follows: each segment bit of IP2 is incremented by n.
4. The method of claim 1, wherein the WAF is bypassed in a public cloud environment by: the determination process in step S5 is as follows: the system firstly extracts the IP4 address of the x-forward-for field in the message, if the IP4 is equal to the IP3 address, the server normally corresponds to the client request, if the IP4 address is not equal to the IP3 address, or the x-forward-for field is not extracted, the request flow is judged to be the attack flow bypassing the WAF, and the server directly discards the request flow without processing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010825802.1A CN112671698A (en) | 2020-08-17 | 2020-08-17 | Method for preventing WAF from being bypassed in public cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010825802.1A CN112671698A (en) | 2020-08-17 | 2020-08-17 | Method for preventing WAF from being bypassed in public cloud environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112671698A true CN112671698A (en) | 2021-04-16 |
Family
ID=75403201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010825802.1A Pending CN112671698A (en) | 2020-08-17 | 2020-08-17 | Method for preventing WAF from being bypassed in public cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671698A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150341383A1 (en) * | 2014-05-23 | 2015-11-26 | Citrix Systems, Inc. | Protect applications from session stealing/hijacking attacks by tracking and blocking anomalies in end point characteristics throughout a user session |
| US20170264632A1 (en) * | 2014-09-11 | 2017-09-14 | Samuel Geoffrey Pickles | A telecommunications defence system |
| CN107948150A (en) * | 2017-11-22 | 2018-04-20 | 新华三技术有限公司 | Message forwarding method and device |
| CN108028835A (en) * | 2015-09-10 | 2018-05-11 | 阿尔卡特朗讯 | automatic configuration server and method |
| CN110166570A (en) * | 2019-06-04 | 2019-08-23 | 杭州迪普科技股份有限公司 | Service conversation management method, device, electronic equipment |
| CN110505235A (en) * | 2019-09-02 | 2019-11-26 | 四川长虹电器股份有限公司 | A kind of detection system and method for the malicious requests around cloud WAF |
-
2020
- 2020-08-17 CN CN202010825802.1A patent/CN112671698A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150341383A1 (en) * | 2014-05-23 | 2015-11-26 | Citrix Systems, Inc. | Protect applications from session stealing/hijacking attacks by tracking and blocking anomalies in end point characteristics throughout a user session |
| US20170264632A1 (en) * | 2014-09-11 | 2017-09-14 | Samuel Geoffrey Pickles | A telecommunications defence system |
| CN108028835A (en) * | 2015-09-10 | 2018-05-11 | 阿尔卡特朗讯 | automatic configuration server and method |
| CN107948150A (en) * | 2017-11-22 | 2018-04-20 | 新华三技术有限公司 | Message forwarding method and device |
| CN110166570A (en) * | 2019-06-04 | 2019-08-23 | 杭州迪普科技股份有限公司 | Service conversation management method, device, electronic equipment |
| CN110505235A (en) * | 2019-09-02 | 2019-11-26 | 四川长虹电器股份有限公司 | A kind of detection system and method for the malicious requests around cloud WAF |
Non-Patent Citations (1)
| Title |
|---|
| 李治城: "利用X-Forwarded-For伪造客户端IP漏洞成因及防护", 《电子技术与软件工程》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5991901B2 (en) | Method, apparatus, and program for detecting spoofed network traffic | |
| JP5524737B2 (en) | Method and apparatus for detecting spoofed network information | |
| CN106034056B (en) | Method and system for analyzing business safety | |
| US7474617B2 (en) | Detection of multiple users of a network access node | |
| US8068414B2 (en) | Arrangement for tracking IP address usage based on authenticated link identifier | |
| EP1702429B1 (en) | Detecting relayed communications | |
| RU2480937C2 (en) | System and method of reducing false responses when detecting network attack | |
| Sanmorino et al. | DDoS attack detection method and mitigation using pattern of the flow | |
| CN105429957A (en) | IP address jump safety communication method based on SDN framework | |
| EP1722535A2 (en) | Method and apparatus for identifying and disabling worms in communication networks | |
| CN109327426A (en) | A kind of firewall attack defense method | |
| US20200112544A1 (en) | Systems and methods for blocking spoofed traffic | |
| EP4013004A1 (en) | Data processing method and device | |
| Yao et al. | VASE: Filtering IP spoofing traffic with agility | |
| CN108574673A (en) | ARP message aggression detection method and device applied to gateway | |
| Priyadharshini et al. | Prevention of DDOS attacks using new cracking algorithm | |
| RU2422892C1 (en) | Method of protecting computer network | |
| Yao et al. | Performing software defined route-based IP spoofing filtering with SEFA | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| Dulik | Network attack using TCP protocol for performing DoS and DDoS attacks | |
| CN112671698A (en) | Method for preventing WAF from being bypassed in public cloud environment | |
| CN105792216A (en) | Wireless phishing access point detection method based on authentication | |
| CN114710388B (en) | Campus network security system and network monitoring system | |
| JP2017212705A (en) | Communication controller, communication system, communication control method, and program | |
| Letsoalo et al. | Survey of Media Access Control address spoofing attacks detection and prevention techniques in wireless networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210416 |
|
| RJ01 | Rejection of invention patent application after publication |