4

I have the Google Cloud Platform load balancer as a CDN and entry point to my running services.

As far as I know GCP load balancer offers out of the box DDoS protection even without custom Cloud Armor rules setup.

Is it also includes some protection against the "bad bots" which are scraping the info or sending spam?

If not, is there any way we can setup some rules using Cloud Armor to protect GCP services against such bots?

Yurii Kuzemko
  • 671
  • 5
  • 10
  • 1
    Provide a link to the Cloudflare bot service/features you are referencing. To provide similar features you will need to add Cloud Armor to a load balancer and write your own rules. However, at this time, Cloud Armor does not control CDN traffic. As written your question is too broad. Create a question on a specific feature/objective so that you can get a fact-based answer. There are thousands of bots, thousands of bad acts. Narrow it down to a specific item. On Stack Overflow, we can help you with a Cloud Armor rule, not how to protect you from the world. – John Hanley Jul 26 '21 at 19:38
  • @JohnHanley I don't have any idea about Cloud Armor rules. Here's a link to Cloudflare service https://www.cloudflare.com/en-gb/products/bot-management/ My question is about how to setup a standard bot protection with Cloud Armor. I'm referring to Cloudflare as an example. – Yurii Kuzemko Jul 27 '21 at 09:08
  • 1
    Post a Cloudflare rule as an example to translate to a Cloud Armor rule. The link you provided is just a marketing page that requires contacting sales. I would need to see the actual technical details/implementation. – John Hanley Jul 27 '21 at 09:13
  • @JohnHanley I don't know exact rules the Cloudflare uses, that's why I'm asking this question to get some clarification on that. From what I found they have something like this https://developers.cloudflare.com/firewall/recipes/challenge-bad-bots – Yurii Kuzemko Jul 27 '21 at 10:09
  • @JohnHanley I've rephrased the question so it might make more sense about what I'm trying to discover. – Yurii Kuzemko Jul 28 '21 at 08:15
  • 1
    Your question makes sense. However, you will need to study the documentation to know how to deploy Cloud Armor. You will also need to know how to monitor rule results to fine tune. There are no rules that are universal for all application use cases. There is no shortcut such as do X, Y and Z. That may work for one application and fail another application. – John Hanley Jul 28 '21 at 08:23

1 Answers1

2

Since your question is very broad and not very precise I will just point out some of the main features & benefits of Cloud Armor and point you to some usefull documentation that will help you understand how to use configure and use it.

Cloud Armor key features are:

  • Benefit from DDoS protection and WAF at Google scale
  • Detect and mitigate attacks against your Cloud Load Balancing workloads
  • Adaptive Protection (Preview) ML-based mechanism to help detect and block Layer 7 DDoS attacks
  • Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud

WAF is a set of web application firewall rules that you can configure to protect your resources. Rules are written in a CEL language so have a look at this document to help you understand how they work.

Adaptive protection

helps you protect your Google Cloud applications, websites, and services against L7 distributed denial-of-service (DDoS) attacks such as HTTP floods and other high-frequency layer 7 (application-level) malicious activity. Adaptive Protection builds machine-learning models that do the following:

  • Detect and alert on anomalous activity
  • Generate a signature describing the potential attack
  • Generate a custom Google Cloud Armor WAF rule to block the signature

Last but not least - what is OWASP ?

OWASP stands for the Open Web Application Security Project, an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.

The Top 10 OWASP vulnerabilities in 2021 are:

  • Injection
  • Broken authentication
  • Sensitive data exposure
  • XML external entities (XXE)
  • Broken access control
  • Security misconfigurations
  • Cross site scripting (XSS)
  • Insecure deserialization
  • Using components with known vulnerabilities
  • Insufficient logging and monitoring

Combining this together Cloud armomor gives you a wide array of tools to protect your infrastructure from anything you can think of - given you can understand WAF rules and master the skill of writing them.

You can also try to use Recaptcha Enterprise integrated with Cloud Armor to challenge all automated requests;

Google Cloud Armor provides effective management of automated clients' requests towards your backends through native integration with reCAPTCHA Enterprise. reCAPTCHA Enterprise uses advanced risk analysis techniques to distinguish between human users and automated clients. With the integration, reCAPTCHA Enterprise issues an encrypted token that contains the reCAPTCHA Enterprise assessment and associated attributes about the risk associated with the request. Google Cloud Armor deciphers this token without an additional request/response to the reCAPTCHA Enterprise server. Based on the token attributes, Google Cloud Armor lets you allow, block, or redirect the incoming requests.

Here's an example of redirecting to reCAPTCHA:

You can redirect a request to reCAPTCHA Enterprise to assess the user and serve manual challenges if necessary, without any additional reCAPTCHA Enterprise implementation. When human users share the same signature (such as URL paths or other L7 signatures) as a bot or an abusive system, this action provides a way for them to prove they are human and gain access, rather than being blocked. Only users who pass the assessment can acquire an exemption cookie and gain access to your service.

Wojtek_B
  • 4,245
  • 1
  • 7
  • 21
  • Hi! Thanks for answering. This answer indeed brings some more understanding about Cloud network security. But the main idea of my question is to understand how can I using WAF rules and/or OWASP methodologies setup some rules/checks to identify if the visitor is a real human or is it a bot. I would really appreciate it if you'll provide some examples. – Yurii Kuzemko Aug 10 '21 at 09:20
  • 2
    Please have a look at the updated answer - it should address your needs more precisely now. – Wojtek_B Aug 16 '21 at 13:05
  • Thanks for the update @Wojtek_B. I've got the idea of bot captcha redirect. I am still unable to understand the page on the example you've sent: [example of redirecting to reCAPTCHA](https://cloud.devsite.corp.google.com/armor/docs/bot-management#use_a_manual_challenge_to_distinguish_between_legitimate_users_and_automated_clients). Also, how are we judging the signature whether it's bot-like or human-like? – Yurii Kuzemko Aug 19 '21 at 08:23
  • You have to [create a new security policy](https://console.cloud.google.com/net-security/securitypolicies/add) in Cloud Armor; have a look at this [documentation](https://cloud.google.com/armor/docs/configure-security-policies#enforce-assessment). What have you tried up to this point and what you don't understand ? – Wojtek_B Aug 19 '21 at 11:05
  • Hey @Wojtek_B! Thanks for your message. I've created the recaptcha token score rule in Cloud Armor and this is exactly what I was looking for. I wasn't able to test it yet but will try to figure something out to see how it works. (How can I emulate the bot behaviour on my website to check if it's going to be blocked.). In any case, I appreciate you answering this! – Yurii Kuzemko Sep 16 '21 at 09:00