WAF report from WEDOS Global Protection for June 2023

[gtranslate]

In June, we again took the entire WEDOS Global infrastructure further. The response has improved in a number of countries and we have added a few new features that we hope to roll out to everyone soon. Of course, there were also DDoS attacks, which we successfully filtered out. Interestingly, despite the increase in sites protected by WEDOS Global Protection, DDoS attacks decreased in June. Looks like our attackers are starting to get away from us.

WEDOS Global

WEDOS Global is the name of our infrastructure that runs the global network of the same name. The entire WEDOS Global infrastructure currently has over 1500 physical servers and connectivity of over 2.5 Tbps. At the end of May, we had servers in 25 locations in 20 countries on 5 continents. Another site is in the process of being completed.

New WEDOS Global point in Mexico

On Friday 16.06.2023 at 15:17 we launched another WEDOS Global point. This time in Mexico, specifically in a datacenter in the capital city of Ciudad de México. Most of the traffic is purely from Mexico. Less traffic comes from Colombia, Cuba, El Salvador and some from the US.

As far as traffic from South America is concerned, most of it comes through points in the USA, of which we have 5 (Atlanta, Dallas, Chicago, New York and Silicon Valley). We have been arranging points in South America for several months to take care of this traffic. Unfortunately, it is very difficult. Our point is a minimum of 45 physical servers and 2 switches and we need connectivity of at least 100 Gbps with the possibility of scaling up. Not everywhere has so much connectivity, and elsewhere there are legislative problems.

We could launch the first point directly in South America by the end of the holiday season. We have been arranging everything for several months.

New peering in Canada has significantly improved response across North America

Sending thousands of servers somewhere and setting up 100 Gbps connectivity is not enough to build a super-fast global network. It is necessary to connect properly with large networks and local ones. We still have a lot of work to do, but we are working on it.

At the end of June, we launched peering in Toronto, Canada, which led to a significant improvement in connectivity across North America. From 27 ms to about 22.5 ms. This region is very competitive with hundreds of local providers. So when we get to 23 here. place, we consider it a great success. However, we believe we could get to 15. – 10. place until the end of the year 🙂

What is IXP peering?

Peering is an agreement between two Internet Service Providers (ISPs) that allows their network traffic to pass directly between them without having to go through a third party.

This direct data transfer can increase the speed and reliability of your internet connection, as the data does not have to travel as far or across other different networks. It can also reduce costs, as both parties can avoid fees they might otherwise pay to third parties for data transfer.

Peering usually takes place on the so-called. Internet Exchange Points (IXPs), where many ISPs can link their networks together.

Would you like to learn more about WEDOS Global?

For those of you who are interested in a deeper understanding of the advanced technologies on which the WEDOS Global infrastructure is built, we offer a presentation from the Kubernetes Community Days Czech & Slovak 2023, held in Bratislava. Two of our colleagues who are directly involved in the development of WEDOS Global presented at this conference.

WEDOS Global Protection

WEDOS Global Protection is one of the services that runs on WEDOS Global and is designed to protect your website from various types of cyber attacks. It doesn’t matter if they are large scale DDoS attacks or small attacks where the attacker is trying to crack your password.

An important part of the service is the storage of a static version of your site in each location. If nothing has changed on the page, visitors are always served content from the nearest point. Basically, it is a CDN.

What is a CDN (Content Delivery Network)?

The acronym CDN translates to content delivery network. This system works as a series of servers located around the world that copy and store the content of web pages (such as the page itself, images, page styles, etc.).

When a user wants to retrieve a web page that uses the CDN, instead of downloading all the content from a single central server (which could be slow if the user is geographically far from the server), the request is routed to the nearest servers in the WEDOS Global CDN network. They then deliver content faster because they are closer to the user.

Using WEDOS Global increases the speed and efficiency of data transfer, improves the availability and reliability of your website, helps to cope with the onslaught of users when many people visit your site at once and improves your search engine rankings.

WEDOS Global Protection commercially launched

WEDOS Global Protection already successfully protects thousands of websites, so there was nothing stopping us from running a full test run. This includes orders for paid services, trial periods, etc. This meant tightening up the service mainly commercially.

Originally, we planned one free plan for personal non-commercial websites. However, this was at a time when WEDOS Global Protection was only supposed to protect against cyber threats. However, the service has taken content caching to a whole new level and essentially replaces CDNs for websites. This actually speeds up websites and reduces the load on servers.

Check out the most visited sites on WEDOS Global Protection on our NoLimit shared web hosting (some have an Extra plan) by number of requests. Attendance is for June (30 days). Millions of requests per day can be handled by shared web hosting for 39 CZK/month thanks to smart caching on WEDOS Global Protection.

How does caching work on WEDOS Global?

Caching at WEDOS Global is a process that allows for efficient distribution of content through our points of presence in 25 locations around the world to reduce the load on the original hosting server and increase the speed of data transfer to users.

How it works:

  1. Caching: When a user first requests certain content (e.g., a web page, image, javascript, CSS), WEDOS Global retrieves this content from the original server and stores a copy on servers in that location (i.e., a server near the user).
  2. Content release: when other users request the same content, WEDOS Global is able to provide content from the server closest to them. This greatly reduces the time it takes to retrieve content because the data doesn’t have to travel as far. This is especially noticeable if you have a surge of traffic (advertising campaign, social sharing).
  3. Cache expiration: each cached content has a specified time to live (TTL). After this time, the content is deleted and must be reloaded from the original server on the next request. This allows the content to be up-to-date.
  4. Content recovery: If the content on the original server changes, WEDOS Global may update its cache to reflect the change. This is ensured by mechanisms such as “Cache Invalidation”, which allow manual or automatic deletion of specific files from the cache. In the WEDOS Global administration you will also find a button to delete the cache.

Overall, caching on WEDOS Global helps to speed up content loading, reduce the load on the original server and improve the overall performance of web applications. Unlike your hosting, the WEDOS Global network is ready to handle millions of requests per second.

This is a feature that has a great added value because it reduces costs (when you grow you don’t need more powerful hosting/VPS) and improves search engine rankings(we actually see more hits from Google in the stats) because sites are faster and most sites have Google servers “around the corner”. Also remember that most hosts have foreign traffic limited due to attacks or because they want to save money, so your site is often slower for foreign sites. Try it on vacation 😉

That is why we have decided that the lowest Start tariff will be 25 CZK excluding VAT per month. Currently there is a 15 day trial period where everyone finds out if it is worth it. This tariff is virtually complete and nothing will change.

The second tariff Advanced costs 150 CZK without VAT per month and the main differences are that it will include sites where data transfers are expensive, all checks and error pages will try to make as little intrusive as possible (clean design) and priority will be applied configurations to improve performance and smart protection against new security threats. In the future, we expect more detailed graphs and logs.

The Expert tariff is designed for developers who understand network traffic well and need certain exceptions or individual rules for their scripts. It offers a number of options to customize your protection, but at the same time, one typo means your site won’t go halfway around the planet.

The Ultimate plan is a tailored solution for large companies, organizations and governments who need to not only protect their website, but also have a human on the phone to troubleshoot the problem. Within this solution it is also possible to arrange SLA.

We also have two tariffs for administrators of a large number of domains. Multidomain B2B is designed for example for hosting companies or webmasters. It allows you to “seed” domains that will be on our AnycastDNS via API and if any of their customers are under attack turn on protection for them. The advantage is that there is no charge for WEDOS Global Protection until the protection is activated.

Multidomain B2B Whitelabel is basically the same thing, but you can run everything under your own DNS name (domains), your own IP and even your own ASN(more info). There is no such service in the world because if there was, we would buy it for us and not have to build WEDSO Global for hundreds of millions 🙂

For an overview of complete price lists, please visit https://www.wedos.com/cs/protection/

New WordPress plugin

In May, our developers completed a WordPress plugin to help you get WEDOS Global Protection up and running. We uploaded it to WordPress.org this month and are awaiting approval. For now, you can download it from our website and install it manually.

  1. Download the plugin(wgpwpp.zip) at https://www.wedos.com/cs/protection/ochrana-wordpress/
  2. Log in to your WordPress administration
  3. In the left sidebar, click “Plugins”. This will open a page with a list of plugins.
  4. On the plugin list page, click the “Add New” button on the top bar.
  5. On the options page to add a new plugin, select the “Upload plugin” tab.
  6. Click on the “Select File” button and select the plugin ZIP file (wgpwpp.zip) that you downloaded at the beginning. Then click on the “Upload” button.
  7. After the plugin is successfully uploaded, WordPress will perform the installation process. When the installation is complete, you will see a message indicating that the installation was successful.
  8. After installing the plugin, you will be presented with the option to activate the plugin. Click on the “Activate plugin” link.

The WEDOS Global Protection plugin will help you protect WordPress from attacks (from small to large ones), overloading and you will still collect some SEO points for speed (DNS response speeds up worldwide, WEDOS Global Protection automatically caches selected content worldwide).

We will be glad for your feedback.

Testing HTTP/3

We ran a test run of HTTP/3 on one of the reverse proxies.

HTTP/3 is the latest version of the HTTP protocol, which is the basis for data transfer on the Internet and allows you to access websites.

Earlier versions of HTTP (HTTP/1 and HTTP/2) use the Transmission Control Protocol (TCP) to transfer packets. TCP is reliable because it ensures that all packets arrive at the right place and in the right order. But it also has drawbacks – if one packet is lost or delayed, all subsequent packets must wait until the lost packet reappears. This is called Head-of-line blocking.

HTTP/3 instead uses a newer protocol called QUIC, which was designed to overcome the head-of-line blocking problem. QUIC uses User Datagram Protocol (UDP), which does not require packets to arrive in any particular order. This means that if one packet is lost or delayed, other packets can continue without waiting.

The benefits of HTTP/3 include:

  • Better performance on unstable networks: HTTP/3 can transfer data more efficiently on networks that are unstable or have high response times, such as the mobile Internet. For customers with mobile phones in poorly covered areas, on the train, etc. you will gain a competitive advantage.
  • Faster connections: the QUIC allows for faster setup of new connections, as fewer steps are required to set up a connection between the client and server.
  • Security is the default: QUIC uses encryption as standard, which improves data security.
  • No Head-of-line blocking: the QUIC allows packets to continue without having to wait for lost or delayed packets. This improves the speed and efficiency of data transfer.

Modern browsers already know HTTP/3. However, older ones can still use HTTP/2. After we test everything in detail, we will run HTTP/3 for everyone.

HTTP/3, IPv6 and other technologies offered by WEDOS Global may not be supported by your hosting and you will still be able to use them.

What would such communication look like?

  1. Client request: the client (visitor) sends a request for web content using IPv6 and HTTP/3. This connection is between the client and the WEDOS Global reverse proxy.
  2. Reverse proxy translation: the WEDOS Global reverse proxy receives this request and translates it into a format that your server can accept – for example, HTTP/2 and IPv4.
  3. Server request: the WEDOS Global reverse proxy then sends this translated request to your server/host.
  4. Server response: the server/host processes the request and sends a response back to the WEDOS Global reverse proxy using HTTP/2 and IPv4.
  5. Translating and sending the response: the WEDOS Global reverse proxy receives this response, translates it back into HTTP/3 and IPv6 and sends it to the client.

Through this process, the WEDOS Global reverse proxy can serve as a bridge between clients using modern technologies such as HTTP/3 and IPv6 and servers that do not yet support these technologies. This allows servers to gradually migrate to newer technologies without the need for immediate upgrades.

Statistician WEDOS Global Protection

The following statistics are from the reverse proxies at each point that handle requests cleared of L3/L4 DDoS attacks. Actually, we don’t see many L3/L4 attacks in the last few months. Previously we were experiencing 10 Gbps+ attacks several times a week, with one in June.

What are L3/L4 attacks?

DDoS attacks at the L3 and L4 layer target the network and transport layers and use a variety of techniques to overwhelm target servers or devices.

Network layer (L3) – provides routing of data between different networks using logical addresses (IP).

Transport layer (L4) – provides reliable and controlled data transfer between endpoints using protocols such as TCP or UDP.

Furthermore, the statistics are cleaned of all requests that come from servers on our blacklists. We only use blacklists for IP addresses from which only malicious traffic comes. If it is mixed traffic we can “proprat” it through protection, where we use cookie + redirection via JavaScript or Captcha.

How does WEDOS use blacklists?

WEDOS uses a number of blacklists that we create ourselves or obtain from third parties (Udger, AbuseIPdb).

Most IP addresses are on automatically generated blacklists, which are created by algorithms based on real-time traffic analysis. The IP address here can be units of minutes or even hours.

We also have standard blacklists that are created by our cyber security experts in response to attacks or from log analysis.

Furthermore, some of the requirements that we use to monitor the availability and performance of individual points are not included in the overview so as not to bias the statistics.

At the end of June, the number of WEDOS Global Protection protected domains increased to 3754 (+720). Some of these are domains that have been added by support due to attacks, or they’re heavyweight sites that are greatly helped by automatic caching on the proxy server. There are 940 users (+136) using WEDOS Global Protection outside our country.

In May, a total of 3,387,852,458 requests (+26.43%) were recorded out of 7,730,182 (-4.56%) unique IP addresses that were directed to protected domains. On average, the proxy servers handled 112,928,415 requests per day.

Daily chart of accesses to WEDOS Global for June, adjusted for L3/L4 and statistics.

As awareness of WEDOS Global spreads, so do new users. At the same time, those who try WEDOS Global usually add more domains after successful testing.

Large DDoS attacks via the application layer (L7) decreased in June. It should be noted that we have fed blacklists of compromised third-party VPSs based on the data. Both have had an impact on the decline of unique IP addresses (IPv4 and IPv6).

What is an L7 DDoS attack?

L7 A DDoS attack is a type of cyber attack on a website or application that uses common internet requests such as GET and POST. The goal is to slow down or make a web page or an API inaccessible.

Attacks on L7 are difficult to detect and distinguish from normal traffic because they use the same protocols and methods as legitimate users. Special tools and techniques and a thorough analysis of network traffic are needed to eliminate them.

As we improve the algorithms that temporarily blacklist IP addresses, the number of requests we have to block to the reverse proxy (access limits, connection limits, and web firewall) decreases. We are also seeing that attackers are really conserving resources. Once they know they’ve hit our protection, they’ll stop the attack. Most attacks thus take sub-units of seconds, which is quite fascinating given that they have to synchronize an attack from hundreds to thousands of IP addresses at a time.

Bored protection stats 🙂

  • L7 DDoS – intercepted by HTTP flood: 3,919,589
  • L7 DDoS – intercepted problem connections (Slowloris, Connection Exhaustion, etc.): 461 070
  • Blocked by WAF rule: 7 937 254
  • Other L7 blocking: 6 008 263

It should be noted that these captures are mostly first attempts. As soon as someone starts an HTTP flood of thousands of requests per second, they go on the blacklist, where they can be for a few minutes, tens of minutes or even hours. The exact time is determined by algorithms.

The most powerful L7 DDoS attacks

June was the dullest since the launch of WEDOS Global. Either the attackers have gone on vacation to enjoy the nice summer weather or they are simply no longer attacking us and are looking for victims elsewhere. Remember that you can use WEDOS Global Protection even if you have hosting/VPS with a competitor. There is no need to move anything, just point it to the DNS domain. See. DDoS attack first aid.

1. web application attack – peak 911 thousand requests per minute

This customer is under attack almost every month. Its application is obviously in someone’s stomach. Most of the time the attacks on it are very short (tens of seconds). This time the attack lasted over 3 minutes, so the peak was 911 thousand requests per minute. The attack that went through to the reverse proxy was from 984 unique IP addresses, which is not a few. However, we assume that hundreds more are on our blacklists permanently.

2. attack on multimedia web – peak 190 thousand requests per minute

This attack was quite interesting because of how hard the attacker tried to break through the defense. He gathered quite a large number of IP addresses 2674 and sent 499 thousand requests from them in three waves, which was some 190 thousand per minute at peak. Normally, we tend to see the offense nicely synchronized, so it went gradually. The attack lasted less than three minutes before the attacker realized it was pointless.

No other attacks in terms of strength were interesting.

Bonus attack from 1 IP

This attack was carried out on a school website. The attack came from just 1 IP address (one device) and beautifully demonstrates how powerful such an L7 DDoS attack can be. On the graph you can see how the attacker was able to generate over 1800 requests per second. Could your website handle it? Because anyone can do a similar attack from a mobile phone.

Conclusion

Anyone can use WEDOS Global Protection to load faster and protect their websites. The service can be used without the need to move hardware or change web hosting providers. Simply point the domain to the WEDOS Global DNS and add the domain to the WEDOS Global Protection administration.