How to protect a locally hosted domain behind a DNS based load balancer

Hello,
We currently use cloudflare to protect our informational website at our .org domain. This website is at a hosting facility in another state.

We have a .com domain that is in house and has access to a few web applications and OWA / email. This .com domain sits behind a pair of Ecessa PowerLink DNS based load balancing appliances in HA mode. The PowerLink appliances are authoritative over the .com domain and when our names are queried against them, they offer the IP that is on an ISP that is confirmed up, and also offer the IP that is most capable (load balancing). There are two ISP’s into the device so if one goes down, DNS with 30 second TTL will only advertise the IP of the working ISP. This has worked great for our organization.

Now we have a situation where we would like to apply velocity rules to prevent hitting certain web applications x number of times in a minute… basically layer 7 brute force password attacks from random sources. We can only keep adding IP’s to our firewall’s blacklist for so long. We feel that Cloudflare can probobly protect us from this type of attack. So the questions are:

  1. How do you configure cloudflare in front of an Ecessa PowerLink load balancer that is already authoritative over the .com domain you want to protect?
  2. The web server logs for things like Exchange and other IIS servers need to still be able to track the actual IP address of the visitor, not cloudflares IP.
  3. Is there velocity scanning?
  4. We’re already protecting our .org domain. Is there additional costs involved with adding a .com domain?
  5. Is it all or nothing? Say we have 40 cumulative IP’s (20 with each ISP) as an example. Say 5 of them are web servers running on port 443. But say a bunch of other ones are just VPN endopints (point to points). Assuming the other end is using direct IP, theres is no change?

Appreciate any links to how-to’s, or even any reps reaching out.

Thanks!

That sure sounds like a Sales question, but maybe @cscharff is up for a mental workout.

Heh… it’s like @sdayman thinks he can just tag me in a question and I’ll somehow magically appear and answer a question. :vulcan_salute:

A lot of possibilities and no single ‘right answer’ but I’ll take a stab. Depending on the solution I was designing at a high level I’d probably explore the following offerings (not all of them may turn out to be appropriate, or might be considered for a v2 or v3 depending on how effective av1 solution design met the organization’s needs). In absolutely no particular order:

Magic Transit
Spectrum
Load Balancing
WAF
Rate Limiting
Bot Management
Cloudflare for Teams (Access)
Cloudflare for Teams (Gateway)

The following answers are off the cuff based on the informtion provided, so to the extent they sound like a dolt, please be kind and assume perhaps i was missing a bit of info and that the average SE t Cloudflare would have asked better follow-up questions. :smiley:

1a. If you configured Cloudflare in a CNaME setup then as long as the trger of say… owa.example.com was lb1.example.com (no reason the lb name needs to match the record the user is looking up it just needs to resolve to the right ip eventually) then in Cloudflare one could :orange: the OWA record (which points to lb1.example.com and leave the authoritative DNS server to provide the correct/current IP. Plans: Biz, ENT

1b. Configure example.com as a secondary DNS zone on Cloudflare and set your authorittive DNS server to be a hidden primary. Changes to DNS records on the primary will sync to Cloudflare. Requires your current primary support synchronization to a secondary. Plans: ENT

1c. Use Cloudflare in full setup, ditch your current DNS system as authoritative for the zone and update the records via API if a link is unavailable. Plans: All

  1. For proxied traffic restoring visitors IPs to IIS or other application logs is pretty straightforward. Plans: All

3a. Yes
3a-1 Rate Limiting Plans: All (Features vary by plan)
3a-2 Bot Management Plans: Ent

  1. It depends. Pro, Biz and ENT plans are billed per zone/ per feature on pay per use features.

5a. Cloudflare’s core services are DNS proxy based. So it isn’t protecting IPs exactly… though you can obfuscate the true origin behind Cloudflare. By default Cloudflare’s core services support a limited number of ports related to HTTP/S and websocket traffic.

5b. There is also Cloudflare Access which can provide a zero trust security solution to public internal websites to the interwebs along with support for RDP and SSH access and some other misc protocols.

5c. Cloudflare Spectrum can protect arbitrary ports. Plan: ENT

5d. Magic Transit provides DDoS protection for networks (/24 and larger) in an on deman or always on model.

5e. Some combination of all of the above.

Included links to some other things like Gateway which with the current social distancing causing a lot of folks to WFH can also be interesting (and probably useful even w/o that)… not directly related to the question being asked but given key terms in your description it tossed it in.

Sorry the response was so long, I don’t really have time to give a shorter one (need to go stream some trivia on Twitch or something). Have a great weekend! :slight_smile:

3 Likes

@csharff

Thanks for the detailed response. Last last night we were able to make the switch and use the CNAME method, your first suggestion above. It is working well.

We are seeing 810.87k block and 703.47k challenges in the last 7 hours or so. Our internal firewall traffic has gone down CONSIDERABLY. The Cloudflare logs are indicative of the IP ranges we manually were keeping up to date on our on prem firewall. AS20473 - AS-CHOOPA , AS4131 CHINANET-BACKBONE No.31, AS14061 - DIGITALOCEAN-ASN are the top three offenders. I’ll tell you AS-CHOOPA (most of which belong to Vultr.com) and Digital Ocean… I would NEVER do buisness with. They don’t care and haven’t responded to abuse reports. I guess if your a bad guy those are the two services to consider standing up your bots!

Anyway I’m not sure if you know this answer or not, but if you have a login page set for a challenge / captcha, you see in the log all of the IP’s hitting it by Digital Ocean, Amazon-02, AS-CHOOPA, JASTEL-NETWORK-TH-AP, Tor, etc… and it says action taken “Challenge”, but it doesn’t say if they passed the challenge or failed the challenge. Like if I expand the date column it shows the Ray ID, HTTP version, host and path, user agent, IP / ASN, Action Taken which is Challenge… but nowhere does it says Passed the challenge or failed the challenge.
I have to say its a pretty good challenge, I did it from my home network and those picture captchas are some of the best around. I found my IP in the log showing I was challenged but it didn’t look any different from an IP that was from a botnet who was also challenged. I was really looking forward to seeing in the detail if they passed or failed the captcha.

1 Like

Found i can see how many captcha challenges were passed by just clicking slightly to the left of the graph in the firewall rule next to it to toggle either line graph or numbers.

This topic was automatically closed after 31 days. New replies are no longer allowed.