Skip to main content
U.S. flag

An official website of the United States government

How cloud.gov continually adapts to dynamic cybersecurity threats

January 24, 2024

Managed Information Security

Government web applications and services are targeted by a barrage of ever-increasing challenges, probes, and malicious traffic. These attacks try to exploit common vulnerabilities, compromise infrastructure, or disrupt services for legitimate users. With thousands of customer application instances running on cloud.gov, we see many different kinds of attacks. Our commitments to safety, security, and transparency ensure that our defenses are up-to-date and robust, safeguarding cloud.gov customer applications from the impact of high-traffic-volume attacks directed at both the platform and our agency customers.

One of cloud.gov’s priorities is to make sure that agencies can focus on their core mission without the burden of dealing with the complex and changing discipline of web application security. We ensure that all customer apps on cloud.gov are protected by a strategic collection of web application security best practices developed to combat the kinds of threats that government websites are uniquely prone to experience. These strategies are part of our more complete security posture, which is continually emerging and evolving in response to the malicious actors and the attacks they attempt.

cloud.gov’s Web Application Firewall (WAF) stands as one protective barrier against various cyber attacks, operating between a web application and the internet. It acts as a vigilant gatekeeper, monitoring, filtering, and blocking malicious HTTP traffic, while allowing legitimate traffic to access appropriate resources. A specific set of WAF rules define the criteria for allowing or blocking incoming requests to all cloud.gov managed websites and applications.

Challenge Requests and Rate Limiting

In order to make sure that an HTTP request to access a given web application is a legitimate visit and not a bot, cloud.gov issues a silent browser challenge. It’s similar to a CAPTCHA, but doesn’t require the visitor to successfully solve a puzzle, as it runs in the background of the browser. This approach helps implement effective rate limiting, managing spikes in requests during high-traffic events, and separating legitimate traffic from probing or DDOS-style attacks. cloud.gov’s WAF rules also make sure that a single IP address can pass no more than 2,000 of these challenges within a 5-minute period, so that even as malicious attacks become more convincing, customer applications on cloud.gov remain available and responsive.

After implementing these WAF rules, we monitored traffic surges to ensure that the change handled situations resembling these types of attacks without any negative impact to cloud.gov customers. For example, consider this graph of traffic across the entire platform from November 7th, 2023:

This line graph compares the Challenges issued to IP Addresses after exceeding HTTP request rate limit to all allowed requests. From 8:00 to 16:00, all allowed requests line hovered around the 400,000 tick on the Y-axis, indicating requests. Over the same timeframe, the challenges after rate limit line is near zero until about 12:00, where it rises slowly until about 12:20 and then rapidly, spiking a few times between the ticks at 1.2 and 1.4 Million requests just after 13:00, then drops immediately back to zero around 13:30 and remains near zero until 16:00, where the graph ends
The dotted red line above illustrates a surge in requests that received a challenge once their IP exceeded the 2,000 per 5-minute rate limit via the WAF rule. At the same time, all allowed requests (as illustrated by the solid blue line) remained stable, allowing legitimate traffic to continue uninterrupted to cloud.gov customer applications.

Reputation Lists

Another element in cloud.gov’s WAF strategy is the use of existing reputation lists to exclude known potentially malicious or automated traffic that originates from specific IP addresses. At times, traffic surges to customer applications come from IP addresses that were previously determined to be bots or other threats. cloud.gov protects all of our customer applications by blocking traffic from these known, low-reputation IP addresses. We monitored a potential attack from known low-reputation IP addresses on the evening of November 3rd, and despite seeing more than one million requests in a span of 15 minutes from these IP addresses, the reputation list WAF rule blocked the vast majority of the potentially malicious traffic:

This line graph compares the number of allowed vs blocked HTTP Requests for a 2-hour period from 16:00 to 18:00. Allowed requests are indicated in a thick, solid blue line and are relatively stable at around 400,000 requests for the entire duration, with a small peak at just over 500,000 between 17:00 and 17:15. Total blocked requests is identified with a dark red dashed line, and it is near zero for most of the graph, except for a sharp spike up to nearly 1.5 million requests between 17:00 and 17:15. In addition to total blocked requests, there is a bright red solid line indicating requests that were blocked specifically because of the IP Reputation blocked rule, and it follows the same shape and spike of the line for all blocked requests, peaking just slightly below at about 1.25 million requests

Just as the cloud.gov web application security approach guards against known threats using adaptive reputation lists, the cloud.gov team flexibly and skillfully reacts to new situations. Real-world incidents, like a surge in potentially malicious traffic experienced last October, serve as valuable lessons for how cyber threats are changing for government web applications. Our team not only responds quickly during these incidents but actively works on proactive measures to prevent future occurrences. This iterative process of learning and improvement ensures that our security measures adapt to emerging challenges. We publish updates like these to reflect our total commitment to providing a resilient and reliable platform for our users.

Operating as a public entity in the government space means that malicious actors will regularly attempt to disrupt the services being provided to customers and stakeholders or to compromise the underlying infrastructure. At cloud.gov, we strive to make sure agencies can trust that their applications are in capable hands, allowing their teams to focus on innovation and development while we handle the rest.

If your development team is interested in hearing more about cloud.gov, scheduling a demo, or getting access to a free sandbox, email us at inquiries@cloud.gov.