Distributed Denial of Service (DDoS) attack is type of DoS (Denial of Service) attack. Multiple systems flood a network or server with fake requests to disrupt normal operation of targeted website. Generally, DDoS attack online originates from several compromised computers. As fake requests are coming from different IP Addresses, you need an effective DDoS attack prevention tool to keep your business online.
We have used Web Application Firewall (WAF) to protect several websites of our clients. Most popular web application firewalls are Incapsula and Cloudflare. These services sanitize traffic to website by blocking DDoS requests. Legitimate requests are forwarded to your website. This way, your website stays online to serve your users.
Recently we came across a need to decide on which cloud based WAF (Web Application Firewall) to use for one of our clients. We needed DDoS protection at network and application layer. We considered both Incapsula and Cloudflare. We are going to talk about configuration of both services here. We have used both services and also switched from one to the other. Understanding configuration is vital before we start using any of these services.
Incapsula provides couple of static IP addresses were you can point your domain’s A records. This means, you don’t need to change NS records of your domain. Traffic will go to your hosting provider and then it will be routed to Incapsula. Incapsula will check and sanitize traffic as required and then send it back to your server.
You need to provide IP of your server as “Origin Server” in Incapsula. In my case we were using load balancer (AWS ELB), so we entered DNS of load balancer as origin server.
Traffic flow diagram with Incapsula
If you are looking at protecting your HTTP traffic, you don’t need to change any other DNS entries of your domain. This way starting with Incapsula is very easy.
By default, return traffic from website to client browser is sent directly. You can request Incapsula to work as Reverse Proxy also. So that return traffic is also routed via Incapsula. Reverse Proxy hides your server IP from public and attacker. We have recently seen that sometimes attackers target your website using origin IP addresses of your server or load balancer to bypass WAF. Reverse proxy is good option to prevent this type of attacks.
Turning off Incapsula temporarily
You can go to Websites page in Incapsula and select “Disable” option from more menu. If you are using Incapsula provided SSL Certificate, you must have SSL Certificate installed on your server. Otherwise, your customers will start seeing SSL Certificate errors in their browsers.
Relatively small issue, but if you have RTE editors in administration panel of your website, Incapsula can block post requests as they contain HTML tags. You can whitelist your IP address in Incapsula to prevent this. If you are on dynamic IP, this can be bit annoying.
We needed to change NS entries of domain to route traffic via Cloudflare. We changed them from domain hosting provider. We also needed to transfer ALL our DNS entries like A records, MX entry, and other CNAME or TEXT entries we had for domain validation, SMTP, VoIP and VPN services. Good thing is when we added domain to Cloudflare, it automatically detected and added most of DNS entries automatically. We had to enter remaining few entries manually.
As we can’t have ELB DNS as A record, we added CNAME records for root domain and “www” subdomain pointing to ELB DNS.
Traffic flow diagram with Cloudflare
Cloudflare by default acts as reverse proxy to domain. So response form from web server goes to Cloudflare first and then it is passed back to client browsers. This way, your server IPs are not exposed to public or attackers.
Turning off Cloudflare temporarily
We had a live streaming event on website, so we wanted to check if we can bypass Cloudflare if required. We didn’t want lot of our customers to see captcha challenges. There are two possible options we found.
Security level – By default security level is set at “Medium”. we had the option of reducing it to “Essentially Off”.
Pausing Cloudflare – There is an option to pause Cloudflare so that traffic is sent directly to web servers. It takes few minutes before traffic starts going directly to your servers. It turns off all Cloudflare services including SSL. If you are using Cloudflare provided SSL Certificate, you must have SSL Certificate installed on your server. Otherwise, your customers will start seeing SSL Certificate errors in their browsers.
Cloudflare sends a Captcha challenge when you submit a form containing RTE editor (HTML tags). Once you pass captcha, your form will be submitted successfully.