Oracle Cloud Infrastructure - WAF - A case study

It was turning out to be a perfect slow day with an early windup for the weekend. Little did I know that the Teams ping in the background is going to shatter that slow-day illusion.... To cut a long story short, we discovered that the application was suffering from a DDoS attack (the normal expected traffic of 500 had increased to over 16,000 hits).

Architecture Context

A typical application with Web-Apps-Database 3-tier model deployed in Oracle Cloud Infrastructure (OCI) fronted by a an Public Load Balancer for external public users.

Findings

The WAF logs (see above screenshot) showed:

• The traffic had increased from an expected traffic of about 500 hits to over 16,000

• The originating traffic were not confined to the UK geographical area. Traffic originating from us, ru & de were detected.

• Majority of the originating traffic were from "agents"

Mitigation

• Add a WAF policy attached to a Public Load Balancer

• Create WAF rules specific to counter the DDoS attack (scan for originating traffic, originating region) and block the unexpected traffic

• Enable OCI Flow logs for WAF & Load Balancers

Important lessons learnt from the incident

• Review the cloud architecture and measure it against CIS & Landing zone benchmarks

• Always, Always, Always front a public facing entry-point with a WAF with relevant and tested WAF policies