Protections against malicious activity
Applications and services on the internet experience frequent attacks, probes, and other malicious traffic. Threat actors making malicious requests may aim to exploit vulnerabilities, to compromise infrastructure, or to deny service to legitimate users.
As a multi-tenant platform, cloud.gov experiences a wide range of malicious activity and frequent attacks. To ensure your application remains online and unaffected, we continuously enhance our defenses. Cloud.gov employs multiple layers of protection to safeguard against different types of attacks.
Blocking known malicious patterns
All inbound traffic to cloud.gov is protected by a comprehensive set of web application firewall (WAF) rules. These rules, which include both managed and custom rule sets, block traffic that matches malicious patterns.
Managed rule sets provided by AWS offer protection against:
- Cross-site scripting (XSS)
- Requests for invalid paths or extensions
- Requests from known or suspected malicious IP ranges
- Known Java exploits
Our custom rule set additionally blocks:
- Traffic attempting to exploit Log4j vulnerabilities
- Traffic from fuzzing or probing tools identified in logs
- Traffic matching path traversal attack patterns
Protections against traffic surges
Cloud.gov occasionally encounters significant spikes, either due to DDoS or large scale probing. To mitigate the impact of such surges, we enforce rate limits on requests with a CHALLENGE action.
Vulnerability scans & CHALLENGE responses
Some site scanning or penetration testing tools may incorrectly flag responses that include an aws-waf-token cookie as a security vulnerability. This is a false positive and not indicative of a real vulnerability.
The CHALLENGE action responds to web requests with an interstitial page, allowing legitimate browsers to proceed while blocking requests from most bots. Successfully passing the CHALLENGE results in an aws-waf-token cookie, which stores the timestamp of the client’s last successful response. The presence of this cookie is evidence of our platform’s protective measures.
Since AWS handles the CHALLENGE response for requests exceeding the rate-limit threshold before reaching your application, these responses may not align with your normal application behavior. For example, CHALLENGE responses may not:
- Redirect HTTP requests to HTTPS
- Include headers normally returned by your application
AWS CloudFront & CDNs
Cloud.gov offers Amazon CloudFront as a CDN to enhance protection against traffic surges. CloudFront can cache requests, reducing the load on your application.
CloudFront CDNs managed by Cloud.gov receive additional protections:
- Rate limiting of requests with a CHALLENGE action
- Shield Advanced Protection, which auto-detects and auto-mitigates attacks at layer 3, layer 4, and layer 7
Reporting impact on legitimate traffic
If you suspect that your traffic is being improperly affected by these protections, please contact us at support@cloud.gov.
Page information
- Last modified on: 2024-06-04
