Hackers love your vulnerable websites!

Posted by

There is a saying or cliché commonly shared among technical security teams: it’s not a case of IF you’ll get attacked, its WHEN.

I decided to test this theory with what’s called a “honeypot”. This is a program, site or piece of code deployed with the deliberate intention of it being hit by the bad guys.

I simply exposed a webserver with some simple web forms running on a public IP address with an SSL cert to the internet, to see what sort of traffic it attracted.

However, it wasn’t just ANY old IP address. This IP address was owned by a Citrix ADC. I bound a WAF policy to it in non-blocking mode, just to identify what sort of traffic I’d see.

I also created some IP-reputation policies and bound these to examine the reputation of IP addresses that hit the public site.

Lastly, I deployed Citrix ADM, pointed it at the ADC, and turned on Analytics.

It was only live for a few hours, and here are some of the results:

IP reputation from Citrix ADM

If I want more information on the IP addresses that have been captured here, I can head along to our Security Partner Webroot, whose IP reputation database is utilised on the appliance, and I can search for that IP address there.

Checking the WAF policies we can see multiple infractions. The startURLs are a false positive in this case as this is shows violations of a whitelist of allowed URLs. No startURL config was done, so it would see every inbound request as an attack. However we see field consistency, SQL Injection, and Cross Site Request forgery attacks a-plenty! Citrix Web Application Firewall has the ability to block all the usual web attacks, and is also fluent in XML and JSON, so it can be used to protect API gateways too.

So, if you have a Citrix ADC premium edition appliance, ( or Citrix SDX platform) , you have the tools right now to prevent any of this traffic from getting past your ADC.
Currently the requests land on the webserver, where, if there was an app or platform that I cared about, they could be impacted. To capture the above information, I’ve created a WAF profile, a WAF policy, and bound it to the Load Balanced Vserver on ADC. By simply ticking the “block” box in the profile, none of those requests will make it through to the web server that is now protected by the Citrix Web Application Firewall (WAF).

There’s one more thing I can do – I can ensure all of the undesireables on the internet cannot reach my webserver or application. I’ve a few options.

  1. I can silently drop their requests, meaning their script will just time out.
  2. I can reset the connection, which is a slammed door – they’ll know I’m onto them.
  3. I could return some vague error message, and log the details. Not a bad option to start, just in case you find some legitimate traffic there.
Responder Policy using IP Reputation expression to Drop requests from baddies.

So – that’s how easy it is to lock down your web applications and improve the security of your web content being accessed through an ADC. Remember – ADC is available in all your favourite public clouds of choice.

In the most recent release, there is a whole new suite of security features designed to manage how bots interact with your websites. There are some good bots ( e.g. google crawlers etc) but LOTS of bad bots – and keeping them out of your site is in your best interest!

Lastly.. if you want to know more about how to configure the Web Application Firewall, Northern European SEs are running a series of events in March 2020 where we’ll walk you through a hands on lab. This is a free event for our customers. Find an event close to you, and sign up here:
https://www.citrixnetworkinglive.com/event/

One comment

Leave a Reply to Paul Hermsen Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.