- Published on
Building a Global Firewall API
- Authors
- Name
- Alex Lee
- @alexjoelee
What is a Global Firewall API
Building a CDN has forced us to think of and create so many random new things. These things are not often complicated and once you think of it, it seems obvious. I have to imagine that our competitors also have similar systems, whether they have written about them on their blogs or not.
We run a CDN or Content Delivery Network - this is a large system of computers (servers) that run special software to cache and serve web traffic. CDNs are used to speed up websites, reduce load on application servers, and protect origin services from attacks.
The Global Firewall API is an internal tool that we built to manage all of our firewall lists. Most crucially, it allows us to manually (or automatically) add bad IP addresses to a global blocklist. In less than sixty seconds, the blocklist is updated for every server on our network, globally blocking the offending IPs. It's no more complicated than that.
Integrating at Layer 4
Let's say that one of our edge servers gets bombarded with TCP SYN packets. This is commonly called a "SYN Flood" attack. Our firewalls are very good at detecting these attacks and stopping them. One of the ways they do this is by detecting the flood and adding it to an in-memory blocklist. We're able to syncronize each server's blocklist with our global API. If one server comes under attack, the attacking address is blocked at Layer 3 globally.
Integrating at Layer 7
Similarly, our WAF is capable of detecting Layer 7 attacks and blocking them. The trouble is repeat offenders. Ideally we want our WAF to have plenty of compute headroom to deal with large swaths of traffic. When one bad actor is performing the same request over and over again, our WAF analyzes and blocks it... over and over again. Repeated the analyses and blocking lots of compute power. So instead, once an offending IP has been added to the list enough times, they'll be blocked at Layer 3. This means that they can keep attempting to send bad requests but they will be blocked by our firewall before reaching our proxy servers, thus saving the compute power of analyzing a repeat bad request.
How our clients benefit
Our clients benefit from these improvements significantly. This will allow us to mitigate larger attacks as our customer base and attack surface grows.