The first service we will launch on our global WEDOS Global network will be WEDOS Global Protection. It has an important task – to protect all our customers’ websites from various types of attacks and our infrastructure at the same time. Over time, we will make the WEDOS Global Protection administration available to everyone so that they can adjust the protection settings to their liking.
What is WEDOS Global Protection
Simply put, WEDOS Global Protection acts as a reverse proxy behind which your website is hidden from the world. You point the domain to our DNS, and at that point the attackers can get no further than the nearest WEDOS Global Protection reverse proxy, of which there will be dozens around the world. It becomes the intermediary for communication between the global Internet network and the server where you have your data.
WEDOS Global Protection includes:
- Our SYN filter with a giant list of problematic IP addresses that only attacks come from.
- IP addresses of the compromised devices from which the attacks originate, detected 3. aside (paid blacklists).
- IP addresses from which we detect attacks (our own).
- IP addresses from which problematic traffic is coming, but may not mean an attack (we restrict as needed).
- DDoS protection
- Protection against network layer attacks (layer 3) – IP/ICMP
- Protection against transport layer attacks (layer 4) – TCP/UDP (including SYN-ACK)
- Web protection at the application layer (layer 7)
- Custom IP blacklists.
- Filter by country.
- Different options to stop attacks.
WEDOS Global Protection protects your website from attacks, but also prevents the attacker from knowing where your server is physically located. You can also disguise where you are hosting. Which has other advantages.
For NoLimit, NoLimit Extra, LowCost, WebSite and WMS services, we will discard all traffic that does not go through WEDOS Global Protection. This will ensure that attackers can’t bypass the protection.
In addition, WEDOS Global Protection will run on all WEDOS Global points. We are doing everything we can to secure 30 points worldwide by the end of the spring. Read more in the article Building WEDOS Global – First infrastructure sites agreed. This is a BGP Anycast, so the IP addresses of the reverse proxies are spread all over the world and everyone connects to whichever one is closest.
WEDOS Global Protection Administration
The administration of WEDOS Global Protection will be separate from our customer administration. We could afford to try to create everything from scratch. We will gradually collect feedback, also for future improvements of our customer administration.
The WEDOS Global Protection administration is built from the start with mobile phone use in mind. In the event of an attack, the customer must be able to react as soon as possible, even if he or she is not at the computer.
You will be taken to the Overview page immediately after logging in. There is nothing on it yet. It will serve as a bulletin board where, in addition to important events and alerts, there will also be statistics. For the time being, we are collecting this data outside and working with it to tune the service as a whole.
The next page you will probably visit is Domains. Here you will find a list of domains that are in the system. As you can see in the screenshot below, we are slowly starting to add all domains where our customers have websites. This is a lengthy process and we are taking it one step at a time, as certificates must be generated to ensure encrypted communication.
From this page, you can navigate to a specific domain profile. In the future it will be dominated mainly by statistics. You will also find quick actions such as Delete Cache. Even caching is one way to defend against attacks.
Let’s move on to the Blacklist. This is basic protection. If you find someone doing mischief on your site, you can block their IP address or their entire range. At the same time, you can put an exception for a specific IP address on the range.
Next is GeoIP. This has long been the most popular and most used feature of our protections. You can influence access to your site by country. Each country is assigned certain ranges of IP addresses, and you can disable them all with one click. You can select a specific country or an entire continent.
In addition to preventing attacks from specific countries, you can also restrict traffic if you are not interested. We have a number of clients who have a website or software on VPS for a limited circle of friends and acquaintances. For example, game servers, communication software (TeamSpeak), corporate systems, etc.
The next item on the menu is Captcha, the strongest defence against bots. You can use it to protect your site from the whole world or from selected countries, ranges, etc. Set will go if you want to differentiate between case and length. Many bots are put off by having to fill in anything, so why bother the user with a long captcha.
The browser can also attack very effectively. On the first attempt, a human can fill in the captcha and then switch to automation. Therefore, it is possible to set the length of time cookies are held before the captcha needs to be filled in again. This avoids attacks where an attacker would fill out the captcha once and leave the computer running all night.
The captcha page currently looks like this. It’s the only one we use. In the future, however, we plan that customers could make their own in WEDOS WebSite. This would also be used for cookie + redirect.
Cookie and redirect is a simple protection that can stop most bots. Unlike a captcha, it doesn’t require the user to do anything other than wait a few seconds. Specifically, before a cookie is stored in the browser and a redirect via JavaScript occurs. The vast majority of robots can’t do that.
Of course, we also expect that you may encounter a user who has disabled all cookies or even JavaScript for security reasons. You can redirect these to a static page, for example.
As with other protections, you can specify exceptions for different IP addresses and ranges.
Protection by caching files on the proxy server has proven to be very effective against some types of attacks. For example, attempting to attack non-existent files that the editorial system cannot or has not yet cached. We have also successfully tested it for web attacks, against so-called disinformation websites. Websites that have nothing to do with Russia have often been on attack lists.
One of the main advantages of a reverse proxy is that it can also be used to spread the load or replace the target server in case of failure. This function is hidden in the menu under Destination IP addresses.
So you can also use WEDOS Global Protection to spread the load across multiple servers and/or define a backup. You can have your website with multiple hosting companies or in multiple copies.
Conclusion
As you can see, we’ve really moved forward with the service and it can already do quite a bit. It successfully protects websites from various types of attacks, so their operators can go about their business in peace.
A light sample of traffic on about fifty protected sites in the last hour.
But this is just the beginning. The next extension will be based on data collection and evaluation. For example, we plan to develop a filtering rules package for WordPress, a filter to prevent downloads (blocking calls to all potentially downloadable files), a filter for bots that snoop and collect marketing data, etc. You will be able to turn everything on, or adjust exceptions.
And the best part is that we are planning a free version for personal websites. There won’t be that much to set up, but it will be very efficient from the start, comparable to paid ones from competitors.
Another advantage is that we have experience in protecting European websites. The best protections based on a similar principle are from US companies, which are not so keen on the European market. It’s evident from what gets through to our customers, even though their sites are protected. We already have more data and more experience on this. After all, we have been protecting services and infrastructure since 2013.
And of course there is the problem of legislation. The EU has stricter data protection rules. For example, obtaining a processing contract can be a problem, but it is essential for many EU companies.
But that’s getting ahead of ourselves. We still have a lot of work to do 🙂