Reverse proxy

A simple way to preventing common web-based attacks

Aung Win Myat Software Architect Leo Tech Services Pte Ltd aung.myat@leotech.com.sg Abstract As the ICT sector is growing recently in Myanmar, numerous numbers of website from different sectors are emerging quickly. Some of these websites are serving high traffic due to public interests and needed to be prevented from common web-based attacks. A website application is malfunction when its performance capacity hits maximum that hosting infrastructure could handle. This paper will address the common web-base attacks, how these could be prevented from the attacks and how reverse proxy could help in preventing those attacks and boosting website performance. To demonstrate the reverse proxy, software named "varnish" which is widely used in high traffic websites, will be presented. Typical Web Application A modern web application is built by the multi-tier architecture which typically involves presentation, application and data tiers and normally deployed onto web server, application server and database server respectively in a production environment. Web servers are normally exposed to public and are victims in most of the cyber attacks.

Common web-based attacks The most common web-based attacks are Denial of Service (DoS), Distributed Denial of Service (DDoS), Cross Site Scripting (XSS), malicious software (MalWare) and Injections. In DoS or DDoS attacks, attackers simulate the huge number of requests to a particular website until the servers that host the website could not handle the workload. In XSS attacks, attacker plants scripts in a site and when that script is executed by a genuine user, the user's browser would attack the instructed sites by those scripts without user's knowledge. In MalWare attack, attackers plant malicious software such as virus, worms, trojans, spyware, adware etc., to disrupt operations, gather sensitive information and gain access to private computer system. In Injection attacks, attackers inject the code or scripts that can gather or alter sensitive information and in the worst case scenario, the whole system or data structure could be destroyed. Performance Tuning To prevent the common web-base attacks, the first step to take is tuning the website up to its maximum performance with given infrastructure. The performance of website could be determined by how much time it would take to serve a request ("response time"), average rate of successful requests

Developer Conference 2012

("throughput"), how much CPU, memory and I/O has been utilized ("Resource Utilization") and how many concurrent requests it could handle ("work load"). The performance tuning should be done in each tier to gain maximum performance.

data access pattern, e.g lazy loading ("loading data on demand"). In the data tier, the tuning tasks includes configuring the cache for identical query statements("query cache"), configuring the database connection pooling ("connection pooling"), identifying and building the indexes for expensive queries ("tuning Index") and considering the usage of object database for scalability purpose ("NoSQL"). Preventing from the attacks To prevent the common web-base attacks, the application should be properly designed and developed starting from data tier, and then followed by application and web tier. In data tier, it should validate all input ("input validation"),give minimum access to application db users ("least privileges"), use the binding method for parameters instead of using it directly("parameter binding"), encrypt the sensitive data ("encryption") and expose none of internal error messages to end users("internal error messages"). In the application tier, in order to prevent intrusions and attacks, the application servers should have proper setup of firewalls("firewall), define privileges for file system for all authorized users ("Privileges") and do the proper software testing such as port scanning, xss scanning and manual testing ("software testing"). In the web tier, in order to prevent and handle the attacks, it should challenge the access requests to prevent POST attacks ("CAPTCHA"), divert attackers traffic to dead end IP address("black holing") and set up a server to intercept the process the requests on-behalf-of original servers ("reverse proxy).

In web tier, performance tuning includes following measures; the content transferring to client should be zipped ("compressing"), the scripts should be packed in minimum number of files without using unnecessary characters ("minification"), the scripts should be human unreadable for security purpose ("obfuscation"), the static content should be cached in client browser ("caching") and the web server should have proper configurations for concurrent requests ("Concurrency Configuration"). In the application tier, the tuning should be carried with tasks such as placing the repeatedly access or expensive access data in memory cache ("caching"), spawning threads for long running or concurrent tasks ("multi-threading"), designing proper modules structure and relationship ("coupling and cohesion") and designing

Developer Conference 2012

Reverse Proxy Reverse proxy is a type of proxy server that retrieves resources for a client from one or more servers so it hides and protects origin servers from client. In DoS attacks, the requests could be handled by the reverse proxy with the help of proxy's cache mechanism and intrusion detecting function. In Malware attacks, the Malware would be installed on the proxy server instead of the original servers so that the impact is minimised and recovery is much easier and faster. The reverse proxy could also accelerate the response time by resolving requests with data from cache. If reverse proxies are setup across the regions and countries nearer to the designated common user base, the traffic to originating server will be lesser and subsequently national bandwidth could be saved. Varnish Varnish is a reverse proxy that is available under a two-clause BDS license. It was initiated by online branch of the Norwegian tabloid newspaper "Verdens Gang" and commercial support is available from varnish software. The current stable release version is 3.0.3. Varnish can increase up to 90% of server capacity and its largest users include Facebook, Twitter, The New York Times, Globo, The Hindu, NBC, The Grammy Awards, Data.gov.uk, eZ, Drupal and WikiLeak. Demo (a) Normal web application In this scenario, each and every request from client will go through up till data tier and subsequently, the website will be in unresponsive mode.

(b)Web application with reverse proxy In this scenario, only one request will be able to pass through to data-tier and all other requests will be handled by reverse proxy's (varnish) cache.

Conclusion Poor applications design and configuration is vulnerable to attacks and maximizing the website performance could withstand the normal attacks. When a website gets high traffic or gains public attention, the infrastructure should be setup properly to handle huge workload and proactively prevent from common webbase attacks. The website should be tuned into best performance in term of availability and security in each tier. Reverse proxy not only can help the website performance but also can prevent common web-based attacks. As "Varnish" software requires low initial cost and involves low risk, it is widely used for web application. Therefore, the websites being hosting inside Myanmar and getting high traffic or gaining huge public interest should install "varnish" as reverse proxy to prevent common web base attacks and boost the website performance for better user experiences.

Developer Conference 2012

References https://www.varnish-cache.org/ https://www.varnish-software.com/ https://www.owasp.org http://httpd.apache.org/docs/2.2/misc/perf-tuning.html http://msdn.microsoft.com/en-us/library/ms998530.aspx

Developer Conference 2012