Scott Helme, an information security consultant, developed report-uri to provide violation reporting for sites that deploy a content security policy or HTTP public key pinning. He noticed that the browser will enforce security policies configured by the site and block malicious content, such as a cross-site scripting attack. However, the host wouldn’t know about the activity and as a result couldn’t resolve the problem. Using his reporting tool report-uri, the browser can send a violation report and you can monitor what security policies are being triggered, where and why.
The Challenge of Success — Analyzing Massive Volumes of Traffic
The rapid growth in the number of reports handled by the site required additional support, and Incapsula sponsored a free CDN account for report-url.io. As Scott has written, the site was receiving peaks of 2,000 reports per second, resulting in an ingress data rate of about 75 Mbps and egress data rate of about 20 Mbps. In May the traffic spiked to an even higher rate, with over 3 billion reports in that month. Incapsula handled that volume of traffic and the site continued serving all the report requests.
Dropping Bad Traffic at the Edge
Incapsula rules are applied to block traffic based on the following criteria:
- Rate limit – As the service grew rapidly, Scott had to introduce rate limits, allowing 25,000,000 reports per month for an account. This helped his customers manage their monthly allowance without exhausting it due to a misconfigured policy. The limit is implemented as an Incapsula application delivery rule with a rate limit of 10 reports per second. That rule results in dropping an enormous amount of the reports that arrive, over 427,000,000 per week.
- Malformed requests – The site strictly limits that the browsers send reports in the format defined in the CSP specification. This is also implemented as an IncapRule which applies this format, rejecting reports that are not compliant.
- Redirect requests – As an initial delivery rule, GET requests are redirected so they do not reach the site’s servers, which only process POST requests. This rule currently redirects a relatively small number of requests, but Scott expects to utilize delivery rules more fully in the future.
With this large amount of traffic blocked at the CDN edge servers, the resources of the site servers are available to perform the service to which they should be dedicated, which is processing reports. This results in improved performance and a direct cost savings a less server resources are required. Following is a live traffic view from the Incapsula dashboard that clearly shows the traffic origins, and the amount of traffic that is passed to origin and the amount blocked.
The Incapsula service protects the site from malicious traffic, so that Scott does not have to worry about attacks on the site. In the first weeks using the service, he has seen examples of all the OWASP top ten blocked by Incapsula.
Incapsula service also provides load balancing among the available pool of servers, obviating the need for Scott to provide, configure and maintain his own servers for this purpose. Looking to the future where the site will have servers in more than one region, Scott anticipates applying Incapsula regional load balancing.
The Incapsula network provides other features for the site.
- Incapsula supports HTTP/2 and IPv6 at the edge for improved security and performance
- Incapsula performs code minification and image compression to reduce page load time and reduce bandwidth
- Incapsula dashboard provides an integrated view of the usage of the site
Note that Incapsula CDN provides caching of server content in servers closer to your site, for quicker page loading. However, in this site each report is unique and has to be passed to the origin, therefore having limited benefit from the cache.
As we’ve seen, Incapsula has provided many benefits for the site, improving performance, utilization and security. Scott anticipates incorporating additional Incapsula features the site could utilize. We look forward to hearing about his progress.
Keep your finger on the pulse
Sign up for updates from Imperva, our affiliated entities and industry news.
Keep your finger on the pulse
Sign up for Imperva updates and industry news and never miss a beat.