question

PantelisVasilis-9120 avatar image
0 Votes"
PantelisVasilis-9120 asked GitaraniSharmaMSFT-4262 commented

Azure Front Door WAF rate-limit behind NAT

Hello,

I was researching Azure FrontDoor rate-limiting capabilities and as far as I can tell rate-limiting happens on an IP level, ie: when an IP surpasses the limit set for a given threshold it's blocked from calling the backend for a certain amount of time (I think 1 minute by default, not sure if that's configurable at all).

My question is, if the offending client is behind a NAT network (a corporate network for example), then the whole network and all other clients in it are also rate-limited. Is there a way in Azure FrontDoor WAF to set the rate-limit for that client only? For example, is there a way to rate limit depending on a header value or some way to differentiate the offending client from all the other clients behind the same network and IP?

Thank you,
Vasilis

azure-front-doorazure-web-application-firewall
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @PantelisVasilis-9120 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know if there is a way to rate limit on Azure Front Door WAF depending on a header value or some way to differentiate the offending client from all the other clients sitting behind NAT?

It should be possible.
As documented in our documentation,

Rate limits can be combined with additional match conditions such as HTTP(S) parameter matches for granular rate control.

So, you can combine the rate limit rules with HTTP/HTTPS request parameters such as query strings, POST args, Request URI, Request Header, and Request Body.

Refer the below doc on how to configure a WAF rate limit rule using Azure PowerShell & linking it to Azure Front Door:
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit-powershell?toc=/azure/frontdoor/toc.json

From Azure Portal, you can configure the same WAF policies --> custom policies --> Add custom rule as below:

188715-image.png

In the match conditions, you can configure "matchVariable": "RequestHeader".
Refer the below article for how to define the HTTP match parameters:
https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-custom-rules#waf-custom-rules-example-based-on-http-parameters

Kindly let us know if the above helped or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.




image.png (34.4 KiB)
· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PantelisVasilis-9120 avatar image PantelisVasilis-9120 ·

Hi,

Thank you for the prompt response. Unfortunately this doesn't help all that much. We cannot safely put values in a header match rule that would be different per client.

Imagine if someone behind a NAT network opened our login page and entered some credentials and for some unknown reason the API call to authorize the credentials starts hitting the endpoint multiple times per second. How would I construct a rate-limit rule to say "this person behind the NAT network is abusing my endpoint, rate-limit them" instead of "this IP is abusing my endpoint, rate-limit it"?

And of course, the rule should be such that an actual attacker would get blocked, and that blocking should happen at the edge (where the rate-limit rules are defined).

Thank you again for your answers,
Vasilis

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 PantelisVasilis-9120 ·

Hello @PantelisVasilis-9120 ,

Thank you for the update.

Let me discuss this requirement with the Azure Front Door Product Group to get more information and will keep you posted.

Regards,
Gita

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 PantelisVasilis-9120 ·

Hello @PantelisVasilis-9120 ,

Below is the response from our Product Group team on this requirement:

There is no straightforward way to achieve this. Some of the options that can be tried are as below:

1) We can match based on specific url and do rate limiting only for that url. For example we can do rate limiting based on www.contoso-ad.com/login.php
Refer the rate limiting section in the below blog where this approach is covered:
https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-custom-rule-samples-and-use-cases/ba-p/2033020

2) There are some header values which are unique per client ( e.g: Cookie ). Those header values can be leveraged.

3) Other option is to ask the NAT device to insert X-Forward-for header with the client ip value

Kindly let us know if the above helps.
I've also reached out to the Azure WAF Product Group team and awaiting their response. Will keep you posted.

Regards,
Gita

0 Votes 0 ·
GitaraniSharmaMSFT-4262 avatar image GitaraniSharmaMSFT-4262 PantelisVasilis-9120 ·

Hello @PantelisVasilis-9120 ,

One more addition to this:

There are two type of match variables in IP address match, RemoteAddr and SocketAddr. RemoteAddr is the original client IP that is usually sent via X-Forwarded-For request header. SocketAddr is the source IP address WAF sees. If your user is behind a proxy, SocketAddr is often the proxy server address.

You can configure a rate limiting rule with the "RemoteAddr" match variable.

Refer : https://docs.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction

Regards,
Gita




0 Votes 0 ·
PantelisVasilis-9120 avatar image PantelisVasilis-9120 GitaraniSharmaMSFT-4262 ·

Hello again,

Sorry for the delay in my response. This is pretty much what we already knew about Azure Front Door. It's impossible to control our customers' network configuration so a lot of them will probably not use a proxy that applies the X-Forwarded-For header in requests but use NAT on a lower level.

Cookies are probably the only way that makes some sense as they can be created per session and then used as a parameter for rate-limiting. We are considering our options but would love to see automatic cookie handling or some other mechanism on Azure Front Door for rate limiting, in the sense that we would like to leverage Azure's edge network to do this work for us and not have packets even reaching our backend if they are considered malicious per our rate-limiting rules.

Thank you for your time and effort in this request.

Kind regards,
Vasilis

0 Votes 0 ·
Show more comments