We are experiencing a Dodos attack (I guess) as we are receiving millions of HEAD request to our web site.
We have secured it but unfortunately Azure has the default domain xyz.azurewebsite.com and the "attacker" is making request to that URL. Even if I add a network restriction the server still goes down as to produce the "403 forbidden" page I guess it uses some resource.
Any Ideas to prevent this ?
Related
I want to only allow users from my own IP and two domains which would cover the client's intranet and external secure website. Should I be doing it in web.config? Azure itself?
Thanks for the help :-)
The mechanism to control which referral domains are allowed to access resources in your Azure Web App, or any other HTTP endpoint for that matter, is called Cross-Origin Resource Sharing (CORS).
CORS is an IETF standard (RFC6454) and is supported and configurable for any Web App / App Service. However, it will not help you in what you are trying to achieve.
Web browsers nowadays operate what's referred to as same-origin policy. This is where a browser will only fetch resources from the same domain present in the address bar. Why? It's really a security mechanism designed to protect the user against cross-site scripting (CSS) attacks, where a malicious actor may craft scripts to make calls to websites a victim is currently logged in to, where their cookie will automatically be sent to the server to sign in, thus being able to carry out activities as the victim. CORS allows developers to permit cross-origin requests safely by white-listing particular domains which are allowed to access resources.
CORS should not be used a mechanism to restrict access to a site. Neither should the referrer HTTP header be used when locking down access to a website, since this can easily be spoofed. Further, CORS operates on an honorary basis meaning that, should origin be indeterminable, the request will be allowed, as it is assumed that the request is same-origin, or initial.
What you are looking for is IP restrictions. Azure Web Apps support IP restrictions. In the portal, navigate to your Web App -> Networking -> IP Restrictions. This area will allow you to configure IP addresses or ranges that are allowed to access the application. You will need to create a rule allowing your IP address and addresses relating to the "referral domains" in question, which demands that the users are coming from known addresses.
So, to answer your question, it should be done in the portal, and you should use IP restrictions.
I have created few API on nodejs a d want to consume in same nodejs app. Even I have ensure cross origin to my domain.
It's only preventing cross domain and not allowed API.
But when using postman it's allowed .
Please help to provide how to restrict my nodejs api to be used by my app internal in angular and should not allow cross domain and postman.
Cross domain protections are implemented only in a browser to protect end-user browser security. They do not apply to http requests made from Postman or from node.js or from any other programmatic tool, only from the browser.
There is no way to keep your API from being called by other agents besides your own web app. This is just the way of the web. For your web page to be able to use the API in the browser, that API has to be open to the public.
The usual way to provide some protections on such APIs is to require some sort of user login in order to use the API. Your own web app can have a logged in user and your server can require a certain login cookie be on the http request before your server will fulfill the request. This too can be used by 3rd party tools such as Postman, but they would have to first obtain an appropriate login cookie.
To prevent abuse even in these cases where they get a login cookie, you would need to track usage on your server and if you detect any irregular patterns or abusive patterns (often with some sort of rate limiting detection logic), then you can temporarily or permanently ban that user login.
I am working on web application that has angular 4 on frontend and WEB API on backend. This application is hosted on MS Azure and until now we didn't have any issues.
Currently we need to integrate with one payment provider. During payment user is redirected to his payment page, and if everything goes well user is redirected back to our web site. Beside the browser redirect (which may fail) payment provider supports server to server call (HTTP GET). In this way they make sure we get information about the transaction. The problem here is that instead of one call to our Web API backend we get always two calls. After checking the request origin IP addresses I concluded that there is two origins (one is payment provider address and another is IP located in USA, which I assume belongs to MS). This looks to me like a routing problem, but I am not very experienced at this.
Did anybody have similar problem on Azure while hosting web application ?
According to your decription, it seems that fails for cross domain request. Azure website is supposed to manage CORS for you.
I think you missed a handy Azure website blade: Specify the origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). To allow all, use "*" and remove all other origins from the list. Slashes are not allowed as part of domain or after TLD.
Cross-Origin Resource Sharing (CORS) allows JavaScript code running in a browser on an external host to interact with your backend. Specify the origins that should be allowed to make cross-origin calls (for example: http://example.com:12345). To allow all, use "*" and remove all other origins from the list. Slashes are not allowed as part of domain or after TLD.
I'm using smartystreets to verify address, etc.,. The only setting I'm giving them is the referrer URL.
When I request with postman by passing the correct referrer it works fine.
What if someone supplies the same header from AWS CloudFront and steals my account subscription limits.
Trying to understand how my subscription is protected.
Thanks.
Here is how I could query without a subscription from smartystreets,
URL Used GET with (Referrer: https://smartystreets.com/) Header:
https://us-zipcode.api.smartystreets.com/lookup?auth-id=21102174564513388&agent=smartystreets%20(website%3Ademo%2Fsingle-address%40latest)&city=Tustin&state=CA&zipcode=92780&candidates=5&geocode=true&input_id=0
Exposed Authentication TokenID: 21102174564513388
You are correct that if someone managed to steal your domain then they would be able to use your SmartyStreets subscription. The silver lining here is that all requests from browsers that use website keys (which are intended to be used in public, front-facing javascript code) are rate-limited, preventing the number of lookups that can happen. In the event of a stolen domain you could proactively delete the website keys on your account or you could have your SmartyStreets subscription shut down within a matter of minutes to prevent unauthorized access.
More info about website keys and the basics of their security model:
https://smartystreets.com/docs/cloud/authentication
BTW, I'm a back-end engineer at SmartyStreets.
I have a website working fine on IIS manager. I created a new site with it sharing the same IP and port. For the host header I put in the domain to the site. When i currently go to the domain i get a
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
I checked to make sure anonymous is enabled and setup but still no luck. it doesn't ask for credentials when accessing the site.
At this point i'm not sure what else to do. Does anyone have ideas that I could try?
After spending some time in my domain service site. I apparently put in the wrong IP address to the website server and instead was pointing towards my exchange server.