In February we deployed a new WordPress filter on our wedos.cz website. This has a number of pre-set rules that automatically block known attack attempts and vulnerability scanning on WordPress installations. In the future, it should replace the classic WAF (Web application firewall), which is now an essential part of all WordPress websites.
What is this WAF?
A WAF (Web Application Firewall) is simply a firewall for your website. A firewall is a form of direct protection that can detect dangerous traffic and filter it out before it makes mischief. It is used everywhere. You have it on your computer as part of a security package, there are also extensions to your web browser, it is also on home routers and of course servers.
It is also put on websites as an extension for content management systems. At WEDOS, we recommend WordFence for WordPress to everyone. Blocks password cracking attempts, some types of attacks, etc. When a new vulnerability is discovered, it often helps because it simply blocks the attacker’s query for exploitation because it goes somewhere it shouldn’t or in some way that a normal user would never do.
WAFs work and are great because they are built for a specific purpose and know exactly what to do or not to allow. But running them on your site costs your system resources. They have to have their own database tables where they store data about accesses and attacks, they have to check every request, they have to update themselves regularly, etc.
As a result, they can help with untreated vulnerabilities, comment spam and minor attacks, but once someone launches a DDoS, they can’t handle it because they don’t have the power to do so.
The smallest DDoS that a single computer can handle today is tens of thousands of requests per minute. It’s just too much for a WordPress extension. It will end up with unavailable sites. What about stronger attacks, where the number of queries goes into the hundreds of thousands per minute, or large ones, where it is already millions.
This is no longer a job for shared web hosting, VPS or dedicated server, but a specialized software that has the appropriate computing power with the ability to scale. Such as WEDOS Global Protection (currently over 1,000 physical servers in 20 locations, 16 countries and 5 continents).
So we thought, what if we moved WAF, the WordPress web firewall, in front of your hosting wherever you have it – it doesn’t have to be with us.
WEDOS Global acts as a reverse proxy through which the traffic goes, so there is no problem to run a WAF there with virtually unlimited power dedicated to WordPress. We are now testing the result on our website wedos.cz.
Of course, WAFs with their own rules are also tested by WEDOS Global Protection users. We have something extra automated. We work with huge amounts of data, automatic scripts that adapt to the situation in different locations. We’re just testing, improving and moving the whole service forward 🙂
How WEDOS Global did in February 2023
Uh, we haven’t got all of February yet. For testing purposes we delete data older than 3 weeks, but if you like the reports we can stretch it to a full month. It’s only going to be a few dozen TB of extra data. So please share and link so we can justify the additional cost to management 🙂
Now to the report. The data are roughly from the period 7. to 28. February 2023. It should be less than 21 days.
At the end of February there were about 2000 domains on WEDOS Global. Some are testers and some are our customers who are under frequent attack. It’s mainly the bigger and better known sites. WEDOS Global Protection also has caching as a form of protection (a cached version of the page/file is served to selected attackers), so some people use this as a CDN.
WEDOS Global is currently in 20 cities, 16 countries and 5 continents. We choose the best connectivity delivery partners in all locations, so great response from the world.
Up to the WAF, a total of 1,236,610,507 requests have passed through to WEDOS Global, from 5,787,605 unique IP addresses. Before that, many times more were blocked on classic DDoS protections (L3/L4) and the big SYN Filter.
The Big SYN Filter is used to block access from blacklisted IP addresses. If an IP address is attacked, automatic scripts or colleagues who deal with cyber attacks put it on a blacklist and then it does not threaten anyone else. The Great SYN Filter is optimized not to think and act. So unfortunately we don’t have usable data from it. We don’t know who’s being attacked, how, but we know it has to be blocked. They have to be able to block hundreds of millions of requests per minute. That’s all. We’ll try to get some stats from him in the future. They’re going to be monstrous numbers 🙂
You can see all of the WEDOS Global traffic that passed through traditional DDoS protection and the SYN filter in the graph below.
Most of the traffic is handled by a point in our WEDOS DC2 datacenter, which is in oil. If it crashes, it doesn’t matter, a point in the WEDOS DC1 datacenter will immediately take over its role.
Most of the cleared traffic comes from the Czech Republic, because most of the big sites on WEDOS Global are in Czech. There are a few international ones. A lot of traffic from the US is not only search engines, but also third-party servers that communicate with our customers’ websites.
If you are using a content management system, and an extension to it, it will most likely communicate with a server in the US. A lot of people think that developers and companies have everything on a CDN or in the cloud all over the world. But CDNs and the global cloud are not cheap. The USA makes the most money for developers, that’s why they have servers there.
Your site may be slowed down by a plugin that is waiting to communicate with a server in the US. It could be hundreds of ms before it gets here. WEDOS Global is addressing this. We currently have 4 points out of 5 planned in the USA.
This can be seen in the traffic by cloud/VPS providers. Microsoft, Amazon, Google, etc. makes up a significant part of the traffic.
The following chart shows this better. That is, if you enlarge it. It shows how individual IP addresses of different providers connect to individual WEDOS Global points.
And here’s a list of the top websites hiding behind WEDOS Global by number of requests and unique IP addresses. It’s gotten a little big again. After all, if you filter out malicious traffic you save money on hosting 😉
Intercepted attacks
So now it’s time to take a look at the intercepted attacks that made it past the DDoS protection and SYN filter. Most of the time they are impactful because once the detection detects an attack from certain IP addresses, they can end up banned on the SYN filter or some protection is put in the way, like a captcha.
You can see in the graph below that there are attacks every day. Sometimes it is more, sometimes less, but there is not a day without attacks or vulnerability searches.
For the reporting period from 7. until 28. On February 2, a total of 5,873,507 requests were blocked when they were either an attack or a vulnerability scan.
It is necessary to take into account that the traffic is already properly cleared by previous protections. We block many active botnets on a large SYN filter. We have been building blacklists for years and have a lot of experience and data. This way, atypical sources of attacks or where we have set more lenient rules are passed. In February it was the Czech Republic and Japan.
Botnets from compromised devices, VPNs, proxy servers, TOR, etc. are a frequent source of attacks. Sometimes, of course, an unintentional attack can occur. For example, search engines tend to try different URLs from time to time. Our firewall is uncompromising and blocks access to that particular URL, which is fine with them because they know from the return code that they have no business being there.
You will also find WEDOS in the list of blocked ones. Whether it was a compromised website hosted by us or testing colleagues to see how well the new protection performs, WAF doesn’t care.
The following chart is created from the total blocked traffic by provider going to each point and the TOP 10 most frequent destination paths within a given location. In other words, what is mainly being attacked.
Conclusion
February was the first month when the special filters for WordPress were tested on our wedos.cz website and the results look really good. In March, we will improve them with additional protections, including protection against SQLi attacks, which are also many and can sometimes really hurt WordPress when they hit an uncached page.