Reputation: 43
Is it possible to set a rate limiting rule along preconfigured WAF rules for the same backend service in Cloud Armor?
I have a policy for a backend service with several preconfigured WAF rules. Also there is a rate limiting rule. If I set the preconfigured WAF rules with higher priority, it will only evaluate those and never the rate limiting rule regardless if the application is under a flood attack with many "legitimate" requests. On the other hand if the rate limiting rule is set with higher priority, it will block flood attacks, but none of the lower priority preconfigured WAF rules will be evaluated.
I have been testing this policy with siege and GoTestWaf. The results are as follows:
- If the rate limiting rule is of higher priority, requests sent by siege are blocked when they hit the set threshold, but GoTestWaf stops with error "WAF was not detected. Please use the '--blockStatusCodes' or '--blockRegex' flags. Use '--help' for additional info. Baseline attack status code: 200"
- If the rate limiting rule is set on lower priority, requests sent by siege are never blocked, but GoTestWaf detects the firewall, conducts the tests and malicious requests are blocked as expected.
Preconfigured WAF rules are these, and the rate limiting rule is set as the following:
gcloud compute security-policies rules create 10000 \
--project=<GCP project> \
--security-policy=<Policy name> \
--expression="true" \
--action=rate-based-ban \
--rate-limit-threshold-count=120 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=300 \
--conform-action=allow \
--exceed-action=deny-404 \
--enforce-on-key=IP
What is going on?
Is there any other way to have both preconfigured WAF rules and a rate limiting rule targeting the same backend?
Upvotes: 0
Views: 899
Answers (1)
Reputation: 3276
While setting any rate limiting options then it’s mandatory to specify the flags. If you are using the normal policy where Allowing or Denying IP’s then it’s an optional but if specifically setting the rate limiting options for cloud armor security policies then these require rate limiting options to be set.
Rule evaluation order is determined by rule priority. When your traffic rate is under or equal to the rate_limit_threshold, then the requests follow the conform-action, which is always an allowed action. The request is authorized by security policy and allowed to reach its destination. Meanwhile the traffic rate exceeds the specified rate_limit_threshold, Google Cloud Armor applies the exceed_action, which can be either denied or redirected, for requests over the limit for the rest of the threshold interval. For more information follow this Official doc Or else you can also use Google Cloud Armor Managed Protection.
Upvotes: 0
Related Questions
- What is libinjection, and why does it only catch things on prod?
- How to implement rate based throttling per client determined by IP, in Google Cloud Armor?
- Load Balancer: Inspecting traffic a specific cloud armor WAF rule is denying
- Cloud Armor Waf - How to forward rate based ban to recaptcha?
- Is there any way for the IP once denied by a WAF rule to be unbarred again passing through the rule?
- Using Google Cloud Armor with Google Cloud Endpoints - applying rate limiting and throttling
- Add x-rate-limit response headers to the load balancer
- Cloud Armor Rate-Limiting Pricing
- Detail mod security rules on Cloud Armor WAF