{"id":129910,"date":"2023-03-14T09:56:39","date_gmt":"2023-03-14T08:56:39","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=129910"},"modified":"2023-03-23T17:53:38","modified_gmt":"2023-03-23T16:53:38","slug":"waf-report-z-wedos-global-protection-za-unora-2023","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/waf-report-z-wedos-global-protection-za-unora-2023","title":{"rendered":"WAF report z WEDOS Global Protection za \u00fanor 2023"},"content":{"rendered":"\n

V \u00fanoru jsme nasadili nov\u00fd filtr pro WordPress na n\u00e1\u0161 web wedos.cz. Ten m\u00e1 \u0159adu p\u0159ednastaven\u00fdch pravidel, kter\u00e9 automaticky blokuj\u00ed zn\u00e1m\u00e9 pokusy o \u00fatok a hled\u00e1n\u00ed zranitelnost\u00ed na WordPress instalac\u00edch. Do budoucna by m\u011bl nahradit klasick\u00fd WAF (Web application firewall), kter\u00fd je dnes u\u017e nezbytnou sou\u010d\u00e1st\u00ed v\u0161ech WordPress web\u016f.<\/p>\n\n\n\n\n\n\n\n

Co je to ten WAF?<\/h2>\n\n\n\n

WAF (Webov\u00fd aplika\u010dn\u00ed firewall) je prost\u011b firewall pro v\u00e1\u0161 web. Firewall je forma p\u0159\u00edm\u00e9 ochrany, kter\u00e1 um\u00ed rozeznat nebezpe\u010dn\u00fd provoz a filtrovat jej, je\u0161t\u011b d\u0159\u00edve ne\u017e provede neplechu. Pou\u017e\u00edv\u00e1 se v\u0161ude. M\u00e1te ho na po\u010d\u00edta\u010di jako sou\u010d\u00e1st bezpe\u010dnostn\u00edho bal\u00ed\u010dku, existuj\u00ed i roz\u0161\u00ed\u0159en\u00ed do internetov\u00e9ho prohl\u00ed\u017ee\u010de, b\u00fdv\u00e1 i na dom\u00e1c\u00edch routerech a samoz\u0159ejm\u011b i serverech.<\/p>\n\n\n\n

D\u00e1v\u00e1 se i na weby ve form\u011b roz\u0161\u00ed\u0159en\u00ed pro redak\u010dn\u00ed syst\u00e9my. U WEDOS doporu\u010dujeme pro WordPress ka\u017ed\u00e9mu nap\u0159\u00edklad WordFence. Blokuje pokusy o prolomen\u00ed hesla, n\u011bkter\u00e9 druhy \u00fatok\u016f atd. Kdy\u017e se objev\u00ed n\u011bjak\u00e1 nov\u00e1 zranitelnost, tak \u010dasto pom\u016f\u017ee, proto\u017ee dotaz \u00fato\u010dn\u00edka o zneu\u017eit\u00ed prost\u011b zablokuje, proto\u017ee sm\u011b\u0159uje n\u011bkam kam nem\u00e1 anebo n\u011bjak\u00fdm zp\u016fsobem, co b\u011b\u017en\u00fd u\u017eivatel nikdy neud\u011bl\u00e1.<\/p>\n\n\n\n

WAF funguj\u00ed a jsou super, proto\u017ee jsou postaveny pro konkr\u00e9tn\u00ed \u00fa\u010del a dob\u0159e v\u011bd\u00ed co maj\u00ed d\u011blat, respektive nemaj\u00ed dovolit. Jenom\u017ee jejich provoz na va\u0161em webu stoj\u00ed va\u0161e syst\u00e9mov\u00e9 zdroje. Mus\u00ed m\u00edt vlastn\u00ed datab\u00e1zov\u00e9 tabulky, kam si ukl\u00e1daj\u00ed data o p\u0159\u00edstupech a \u00fatoc\u00edch, mus\u00ed kontrolovat ka\u017ed\u00fd po\u017eadavek, mus\u00ed se pravideln\u011b aktualizovat atd. <\/p>\n\n\n\n

Ve v\u00fdsledku pomohou t\u0159eba s neo\u0161et\u0159enou zranitelnost\u00ed, koment\u00e1\u0159ov\u00fdm spamem a men\u0161\u00edm \u00fatokem, ale jakmile n\u011bkdo spust\u00ed DDoS, tak to nezvl\u00e1dnou, proto\u017ee k tomu nemaj\u00ed pot\u0159ebn\u00fd v\u00fdkon. <\/p>\n\n\n\n

Men\u0161\u00ed DDoS, kter\u00fd dnes zvl\u00e1dne jeden po\u010d\u00edta\u010d, jsou des\u00edtky tis\u00edc po\u017eadavk\u016f za minutu. Pro roz\u0161\u00ed\u0159en\u00ed do WordPress je to prost\u011b moc. Skon\u010d\u00ed to nedostupnost\u00ed web\u016f. Co teprve siln\u011bj\u0161\u00ed \u00fatoky, kde po\u010det dotaz\u016f jde do stovek tis\u00edc za minutu, anebo velk\u00e9, kde jsou to u\u017e miliony.<\/p>\n\n\n\n

Tohle u\u017e nen\u00ed pr\u00e1ce pro sd\u00edlen\u00fd webhosting, VPS anebo dedikovan\u00fd server, ale specializovan\u00fd software, kter\u00fd k tomu m\u00e1 odpov\u00eddaj\u00edc\u00ed v\u00fdpo\u010detn\u00ed v\u00fdkon s mo\u017enost\u00ed \u0161k\u00e1lovat. Jako je t\u0159eba WEDOS Global Protection<\/a> (aktu\u00e1ln\u011b p\u0159es tis\u00edc fyzick\u00fdch server\u016f v 20 lokalit\u00e1ch, v 16 zem\u00edch sv\u011bta a 5 kontinentech).<\/p>\n\n\n\n

Tak\u017ee jsme si \u0159ekli, co kdybychom WAF, tedy webov\u00fd firewall pro ochranu WordPress, p\u0159esunuli p\u0159ed v\u00e1\u0161 hosting, a\u0165 ho m\u00e1te kdekoliv – nemus\u00ed b\u00fdt u n\u00e1s. <\/p>\n\n\n\n

WEDOS Global funguje jako reverzn\u00ed proxy, p\u0159es kter\u00fd jde provoz, tak\u017ee nen\u00ed probl\u00e9m provozovat tam WAF prakticky s neomezen\u00fdm v\u00fdkonem specializovan\u00fd na WordPress. V\u00fdsledek te\u010f testujeme na na\u0161em webu wedos.cz.<\/p>\n\n\n\n

Samoz\u0159ejm\u011b WAF s vlastn\u00edmi pravidly testuj\u00ed i u\u017eivatel\u00e9 WEDOS Global Protection. N\u011bco nav\u00edc m\u00e1me zautomatizovan\u00e9ho. Pracujeme s ohromn\u00fdm mno\u017estv\u00edm dat, automatick\u00fdmi skripty, kter\u00e9 se p\u0159izp\u016fsobuj\u00ed situaci v r\u016fzn\u00fdch lokalit\u00e1ch. Prost\u011b zkou\u0161\u00edme, vylep\u0161ujeme a celou slu\u017ebu posouv\u00e1me d\u00e1l \ud83d\ude42<\/p>\n\n\n\n

Jak si vedl WEDOS Global v \u00fanoru 2023<\/h2>\n\n\n\n

Ehm cel\u00fd \u00fanor zat\u00edm nem\u00e1me. Pro \u00fa\u010dely testov\u00e1n\u00ed ma\u017eeme data star\u0161\u00ed 3 t\u00fddn\u016f, ale pokud se v\u00e1m reporty budou l\u00edbit, tak m\u016f\u017eeme prot\u00e1hnout na cel\u00fd m\u011bs\u00edc. Bude to jen p\u00e1r des\u00edtek TB dat nav\u00edc. Tak\u017ee pros\u00edme o sd\u00edlen\u00ed a odkazy a\u0165 si dodate\u010dn\u00e9 n\u00e1klady obh\u00e1j\u00edme u veden\u00ed \ud83d\ude42<\/p>\n\n\n\n

Te\u010f u\u017e k reportu. Data jsou zhruba z obdob\u00ed 7. a\u017e 28. \u00fanora 2023. M\u011blo by to b\u00fdt necel\u00fdch 21 dn\u00ed. <\/p>\n\n\n\n

Na WEDOS Global bylo ke konci \u00fanora zhruba 2000 dom\u00e9n<\/strong>. N\u011bco je tester\u016f a \u010d\u00e1st jsou na\u0161ich z\u00e1kazn\u00edk\u016f, kte\u0159\u00ed jsou pod \u010dast\u00fdmi \u00fatoky. Jsou to hlavn\u011b v\u011bt\u0161\u00ed a zn\u00e1m\u011bj\u0161\u00ed weby. WEDOS Global Protection m\u00e1 jako formu ochrany i cache (vybran\u00fdm \u00fato\u010dn\u00edk\u016fm se podsune cachovan\u00e1 verze str\u00e1nky\/souboru), tak\u017ee to n\u011bkte\u0159\u00ed vyu\u017e\u00edvaj\u00ed jako CDN. <\/p>\n\n\n\n

WEDOS Global je aktu\u00e1ln\u011b v 20 m\u011bstech, 16 zem\u00edch sv\u011bta 5 kontinentech<\/strong>. Ve v\u0161ech lokalit\u00e1ch vol\u00edme nejlep\u0161\u00ed partnery pro dod\u00e1vku konektivity, tak\u017ee super odezva ze sv\u011bta. <\/p>\n\n\n\n

\"\"
Aktu\u00e1ln\u00ed odezva ze sv\u011bta pro s\u00ed\u0165 WEDOS Global. P\u0159id\u00e1me je\u0161t\u011b dal\u0161\u00ed body, odlad\u00edme BGP a bude to je\u0161t\u011b lep\u0161\u00ed \ud83d\ude09<\/figcaption><\/figure>\n\n\n\n

A\u017e k WAF na WEDOS Global celkem pro\u0161lo 1 236 610 507 po\u017eadavk\u016f<\/strong>, z 5 787 605 unik\u00e1tn\u00edch IP adres<\/strong>. P\u0159ed t\u00edm bylo mnohon\u00e1sobn\u011b v\u00edce zablokov\u00e1no na klasick\u00fdch DDoS ochran\u00e1ch (L3\/L4) a velk\u00e9m SYN Filtru.<\/p>\n\n\n\n

Velk\u00fd SYN Filtr slou\u017e\u00ed pro blokov\u00e1n\u00ed p\u0159\u00edstup\u016f z blacklistovan\u00fdch IP adres. Pokud n\u011bjak\u00e1 IP adresa \u00fato\u010d\u00ed, tak j\u00ed automatick\u00e9 skripty anebo kolegov\u00e9 co \u0159e\u0161\u00ed kybernetick\u00e9 \u00fatoky d\u00e1vaj\u00ed na blacklist a pak neohro\u017euje nikoho dal\u0161\u00edho. Velk\u00fd SYN Filtr je optimalizovan\u00fd aby nemyslel a jednal. Tak\u017ee z n\u011bj bohu\u017eel nem\u00e1me pou\u017eiteln\u00e1 data. Nev\u00edme na koho jde \u00fatok, jak\u00fdm zp\u016fsobem, ale v\u00edme \u017ee se to mus\u00ed blokovat. Mus\u00ed zvl\u00e1dnout zablokovat stovky milion\u016f po\u017eadavk\u016f za minutu. Nic v\u00edc. Do budoucna z n\u011bj n\u011bjak\u00e9 statistiky zkus\u00edme z\u00edskat. Budou to ale monstr\u00f3zn\u00ed \u010d\u00edsla \ud83d\ude42<\/p>\n\n\n\n

Cel\u00fd provoz WEDOS Global kter\u00fd pro\u0161el p\u0159es tradi\u010dn\u00ed DDoS ochrany a SYN filtr vid\u00edte na grafu n\u00ed\u017ee.<\/p>\n\n\n\n

\"\"<\/a>
Celkov\u00fd provoz na WEDOS Global od 7.2.2023 do 28.2.2023, ka\u017ed\u00fd sloupec je 12 hodin.<\/figcaption><\/figure>\n\n\n\n

V\u011bt\u0161inu provozu odbavuje bod v na\u0161em datacentru WEDOS DC2, kter\u00fd je v oleji. Pokud by spadl, tak to nevad\u00ed, okam\u017eit\u011b p\u0159ebere jeho roli bod v datacentru WEDOS DC1.<\/p>\n\n\n\n

\"\"
Olejov\u00e1 vana se dv\u011bma HPE Moonshot 1500, celkem 90 fyzick\u00fdch server\u016f.<\/figcaption><\/figure>\n\n\n\n

V\u011bt\u0161ina odbaven\u00e9ho provozu jde z \u010cR, proto\u017ee p\u0159ev\u00e1\u017en\u00e1 \u010d\u00e1st velk\u00fdch web\u016f na WEDOS Global jsou \u010desky. P\u00e1r je tam mezin\u00e1rodn\u00edch. Velk\u00fd provoz z USA jsou nejen vyhled\u00e1va\u010de, ale i servery t\u0159et\u00edch stran, kter\u00e9 komunikuj\u00ed s weby na\u0161ich z\u00e1kazn\u00edk\u016f. <\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Pokud pou\u017e\u00edv\u00e1te n\u011bjak\u00fd redak\u010dn\u00ed syst\u00e9m, a k n\u011bmu roz\u0161\u00ed\u0159en\u00ed tak s nejv\u011bt\u0161\u00ed pravd\u011bpodobnost\u00ed bude komunikovat se serverem v USA. Hodn\u011b lid\u00ed si mysl\u00ed, \u017ee v\u00fdvoj\u00e1\u0159i a firmy maj\u00ed v\u0161echno na CDN anebo v cloudu po cel\u00e9m sv\u011bt\u011b. CDN i celosv\u011btov\u00fd cloud ale nejsou levnou z\u00e1le\u017eitost\u00ed. Nejv\u00edce pen\u011bz v\u00fdvoj\u00e1\u0159\u016fm vyd\u011bl\u00e1v\u00e1 USA, proto tam maj\u00ed servery. <\/p>\n\n\n\n

V\u00e1\u0161 web tak m\u016f\u017ee zpomalovat plugin, kter\u00fd \u010dek\u00e1 ne komunikaci se serverem v USA. Ne\u017e se to sem dostane tak to mohou b\u00fdt stovky ms. WEDOS Global toto \u0159e\u0161\u00ed. Aktu\u00e1ln\u011b m\u00e1me v USA 4 body z 5 pl\u00e1novan\u00fdch.<\/p>\n\n\n\n

Tohle je vid\u011bt i na provozu podle poskytovatel\u016f cloudu\/VPS. Microsoft, Amazon, Google atd. tvo\u0159\u00ed nemalou \u010d\u00e1st provozu.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Na n\u00e1sleduj\u00edc\u00edm grafu je to vid\u011bt l\u00e9pe. Tedy pokud si jej zv\u011bt\u0161\u00edte. Ukazuje jak se jednotliv\u00e9 IP adresy r\u016fzn\u00fdch poskytovatel\u016f p\u0159ipojuj\u00ed na jednotliv\u00e9 body WEDOS Global. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A tady je seznam nejv\u011bt\u0161\u00edch web\u016f schovan\u00fdch za WEDOS Global podle po\u010dtu po\u017eadavk\u016f a unik\u00e1tn\u00edch IP adres. Op\u011bt se n\u00e1m to trochu rozrostlo. P\u0159eci jen kdy\u017e odfiltrujete \u0161kodliv\u00fd provoz tak u\u0161et\u0159\u00edte za hosting \ud83d\ude09<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

Zachycen\u00e9 \u00fatoky<\/h2>\n\n\n\n

Tak a te\u010f u\u017e je \u010das pod\u00edvat se na zachycen\u00e9 \u00fatoky, kter\u00e9 se dostali p\u0159es DDoS ochranu a SYN filtr. V\u011bt\u0161inou jsou n\u00e1razov\u00e9, proto\u017ee jakmile detekce zjist\u00ed \u00fatok z ur\u010dit\u00fdch IP adres, tak mohou skon\u010dit zabanovan\u00e9 na SYN filtru anebo je do cesty postavena n\u011bjak\u00e1 ochrana, t\u0159eba captcha.<\/p>\n\n\n\n

Na n\u00e1sleduj\u00edc\u00edm grafu vid\u00edte, \u017ee se \u00fato\u010d\u00ed ka\u017ed\u00fd den. N\u011bkdy je to v\u00edce, jindy m\u00e9n\u011b, ale neexistuje den bez \u00fatok\u016f anebo hled\u00e1n\u00ed zranitelnost\u00ed.<\/p>\n\n\n\n

\"\"
\u00datoky, kter\u00e9 byly zachyceny WAF od 7.2.2023 do 28.2.2023<\/figcaption><\/figure>\n\n\n\n

Za sledovan\u00e9 obdob\u00ed od 7. do 28. \u00fanora bylo zablokov\u00e1no celkem 5 873 507<\/strong> po\u017eadavk\u016f, kdy se jednalo o \u00fatok anebo hled\u00e1n\u00ed zranitelnosti.<\/p>\n\n\n\n

Je nutn\u00e9 vz\u00edt v potaz, \u017ee provoz u\u017e je po\u0159\u00e1dn\u011b pro\u010di\u0161t\u011bn\u00fd p\u0159edchoz\u00edmi ochranami. \u0158adu aktivn\u00edch botnet\u016f blokujeme na velk\u00e9m SYN filtru. Blacklisty budujeme roky a m\u00e1me s t\u00edm hodn\u011b zku\u0161enost\u00ed a dat. Proch\u00e1z\u00ed tak sp\u00ed\u0161e atypick\u00e9 zdroje \u00fatok\u016f anebo tam kde m\u00e1me nastaven\u00e9 m\u00edrn\u011bj\u0161\u00ed pravidla. V \u00fanoru to bylo \u010cesko a Japonsko. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Botnety z napaden\u00fdch za\u0159\u00edzen\u00ed, VPN, proxy servery, TOR atd. jsou \u010dast\u00fdm zdrojem \u00fatok\u016f. N\u011bkdy samoz\u0159ejm\u011b m\u016f\u017ee doj\u00edt i k ne\u00famysln\u00e9mu \u00fatoku. Nap\u0159\u00edklad vyhled\u00e1va\u010de maj\u00ed tendence ob\u010das zkou\u0161et r\u016fzn\u00e9 URL. N\u00e1\u0161 firewall je nekompromisn\u00ed a p\u0159\u00edstup na tu konkr\u00e9tn\u00ed URL zablokuje, co\u017e jim nevad\u00ed, proto\u017ee podle n\u00e1vratov\u00e9ho k\u00f3du v\u011bd\u00ed, \u017ee tam nemaj\u00ed co d\u011blat. <\/p>\n\n\n\n

V seznamu zablokovan\u00fdch najdete i WEDOS. A\u0165 u\u017e se jednalo o napaden\u00fd web, kter\u00fd u n\u00e1s hostuje anebo testov\u00e1n\u00ed koleg\u016f jak dob\u0159e si vede nov\u00e1 ochrana je WAF jedno.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

N\u00e1sleduj\u00edc\u00ed graf je vytvo\u0159en z celkov\u00e9ho zablokovan\u00e9ho provozu podle poskytovatel\u016f sm\u011bruj\u00edc\u00edho na jednotliv\u00e9 body a TOP 10 nej\u010dast\u011bj\u0161\u00edch c\u00edlov\u00fdch cest v r\u00e1mci dan\u00e9 lokality. Jin\u00fdmi slovy na co se hlavn\u011b \u00fato\u010d\u00ed. <\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Z\u00e1v\u011br<\/h2>\n\n\n\n

\u00danor byl prvn\u00ed m\u011bs\u00edc, kdy se testovaly speci\u00e1ln\u00ed filtry pro WordPress na na\u0161em webu wedos.cz a v\u00fdsledky vypadaj\u00ed opravdu dob\u0159e. V b\u0159eznu je vylep\u0161\u00edme o dal\u0161\u00ed ochrany v\u010detn\u011b ochrany proti \u00fatok\u016fm SQLi, t\u011bch je tak\u00e9 hodn\u011b a ob\u010das dok\u00e1\u017eou WordPress po\u0159\u00e1dn\u011b potr\u00e1pit, kdy\u017e se tref\u00ed do necachovan\u00e9 str\u00e1nky. <\/p>\n","protected":false},"excerpt":{"rendered":"

V \u00fanoru jsme nasadili nov\u00fd filtr pro WordPress na n\u00e1\u0161 web wedos.cz. Ten m\u00e1 \u0159adu p\u0159ednastaven\u00fdch pravidel, kter\u00e9 automaticky blokuj\u00ed zn\u00e1m\u00e9 pokusy o \u00fatok a hled\u00e1n\u00ed zranitelnost\u00ed na WordPress instalac\u00edch. Do budoucna by m\u011bl nahradit klasick\u00fd WAF (Web application firewall), kter\u00fd je dnes u\u017e nezbytnou sou\u010d\u00e1st\u00ed v\u0161ech WordPress web\u016f.<\/p>\n","protected":false},"author":9,"featured_media":130016,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[112],"tags":[122,200,186,177],"class_list":["post-129910","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-ddos","tag-waf","tag-wedos-global","tag-wedos-global-protection"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/129910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=129910"}],"version-history":[{"count":5,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/129910\/revisions"}],"predecessor-version":[{"id":131600,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/129910\/revisions\/131600"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/130016"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=129910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=129910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=129910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}