How to Easily Block Users from a Specific Browser with AWS WAF

AWS Web Application Firewall (WAF): An Overview

AWS Web Application Firewall is a very important service to protect your applications running in AWS Cloud from the Layer-7 attacks like SQL injection attacks, Cross-site scripting attacks, HTTP flooding, and many more. Web Application Firewall is a global service and can be associated with CloudFront and some regional services like Application Load Balancer, API Gateway, Cognito user pool, AWS Verified Access, Amazon AppSync GraphQL API, and Amazon App Runner service. We can create Web ACL in the WAF service, using which the web traffic filtering can be done and applications can be protected.

What is Web ACL in WAF?

In the WAF, we can create the Web ACL associated with the resources. The Web ACL consists of Custom rules or rule groups and the Managed rule groups using which the web traffic is filtered or controlled. Real-time metrics are also generated for each rule or rule group created in the Web ACL.

Custom Rules or Rule Groups – We can write our own rule statements and define the action to be taken if the rule statement matches the source request. You can use IPset in this option to define the list of IP addresses to be blocked or allowed.

Managed Rule Groups – These are rule groups available from AWS and the AWS marketplace. It consists of readymade rule groups created for specific traffic filtering or protection. There are charges for using marketplace rule groups or some AWS rule groups. But this is the best option when you lack in-house expertise.

Creating Web ACL and writing rules to block specific user-agent

Below are the steps to create the Web ACL to block access to our application running behind the Application Load Balancer from the Chrome browser.

Configuration Steps-

1. In the AWS console, search for WAF service from the search bar.
2. In the WAF console window, in the left pane, click on the ‘Web ACL‘ option.
3. Then, in the main window, select the region for Web ACL
4. Click ‘Create web ACL.‘
5. Enter the name for Web ACL in the Name field.
6. For the ‘Resource Type,’ Click the ‘Regional resources‘ option.
7. Select the appropriate region based on the resource region.
8. Click ‘Add AWS Resources‘ and select the resource name and then select the actual name of the resource listed in the below window, then Click ‘Add.‘
9. Click ‘Next.‘
10. In the rules tab, Click ‘Add rules‘ and then click ‘Add my own rules and rule groups
11. Select the option ‘Rule builder.‘
12. Enter a name for the rule (for example- useragentblock)
13. Select ‘Regular rule.‘
14. In the ‘If a request‘ option, select ‘matches the statement.‘
15. In the statement window, enter the information as given below.
    

    Regular expression from the above figure to match Chrome user-agent –

    ^Mozilla\/5\.0 \(.+?\) AppleWebKit\/\d+\.\d+ \(KHTML, like Gecko\) Chrome\/\d+\.\d+\.\d+\.\d+ Safari\/\d+\.\d+$

16. In the Action window, select the ‘Block’ option.

17. Click the ‘Validate‘ button from the Rule window

18. Now scroll down and click ‘Add rule.‘
19. In ‘Default web ACL action for requests that don’t match any rules,‘ select ‘Allow.‘
20. Click ‘Next.‘

21. Set the priority for rule execution if multiple rules are created. Otherwise, click ‘Next.‘

22. On Configure metrics window, keep all settings default and click ‘Next.‘

23. Now review the thins and click ‘Create web ACL.‘

Now your Web ACL is created and associated with the AWS resource you are trying to protect.

Testing the results

Once the Web ACL is created, try to access your application URL through the Edge and Chrome browsers. You can see that the same application is accessible from the Edge browser but not from the Chrome browser.

Conclusion

Thus, we can conclude that using the Web Application Firewall, we can write multiple rule statements and create a Web ACL, which can be associated with the AWS resources specified above to protect them from layer-7 attacks. Also, we can filter the web traffic as per our requirements.

About CloudThat