WAF Implementation for Swapnil Patni’s Classes

Swapnil Patni Classes was founded in December 2010. It provides specialized class-room training for students undergoing the Chartered Accountancy Course. The Academy conducts model examinations and online classes to boost the confidence of the students.

They are one of the major CA training classes in India. Students from different parts of India attain SPC classes for enhancements in their career. They also inspire students through motivational lectures as they believe without inspiration the best powers of the mind remain dormant.

Many CA topper students are from SPC batches additionally 1st AIR topper of November 2016 batch is student of SPC classes, and 85 rankers has achieved their milestone. The mark gainers and rankers itself reflects the quality of their classes.

Swapnil Patni classes are serving live video lectures through their custom application. There would be around 3000 students who attains the live class online, also there is a provision of watching offline recorded videos.

SPC was facing challenges to protect their content (video tutorials) from illegitimate users, and identify the specific problem statements which are described below –

1. SPC was facing challenges like – accessing and downloading video tutorials from several non-registered users which causing not only increase unnecessary traffic but also downgrading the reputation of SPC. [Query-string]
2. SPC also facing activities like – from few clients/IPs send a large number of SYN packets, but never send the final ACK packets to complete the handshakes. The server is left waiting for a response to the half-open TCP connections and eventually runs out of capacity to accept new TCP connections. [DDOS]

3. SPC also anticipates that their contents may be accessed purposefully from some of the embargoed countries which may be used for piracy. So, they want to block access of their videos from those geographical areas. [black-list]

1. To protect the video content from unauthorized access a token is generated from WAF (integrated with CloudFront) and appended with the signed URL of video content, so only legitimate users can access the link. Anybody other than authorized users if trying to access the link the WAF Query-String rule will block the access due to absence of the specific token defined in Query-String Rule.

2. Enable the firewall to detect and filter the SYN packets. While modern operating systems are better equipped to manage resources, which makes it more difficult to overflow connection tables, servers are still vulnerable to SYN flood attacks.

There are a number of techniques have been adopted to mitigate SYN flood attacks, which mainly rely on the target network’s ability to handle large-scale volumetric DDoS attacks, with traffic volumes measured in tens of Gigabits (and even hundreds of Gigabits) per second.

Micro blocks—administrators can allocate a micro-record (as few as 16 bytes) in the server memory for each incoming SYN request instead of a complete connection object.

SYN cookies—using cryptographic hashing, the server sends its SYN-ACK response with a sequence number (seq-no) that is constructed from the client IP address, port number, and possibly other unique identifying information. When the client responds, this hash is included in the ACK packet. The server verifies the ACK, and only then allocates memory for the connection.

RST cookies—for the first request from a given client, the server intentionally sends an invalid SYN-ACK. This should result in the client generating an RST packet, which tells the server something is wrong. If this is received, the server knows the request is legitimate, logs the client, and accepts subsequent incoming connections from it.

Stack tweaking—administrators can tweak TCP stacks to mitigate the effect of SYN floods. This can either involve reducing the timeout until a stack frees memory allocated to a connection, or selectively dropping incoming connections.

3. To protect the video content accessing from embargoed countries we noted backlisted IP ranges from OFAC sanctioned countries. We create a WAF Stack for this Black-Listed IP ranges in Web-ACL which works for both IPv4 and IPv6 address type.

• After implementing Query-String rules in WAF, SPC account now completely eliminate the possibility of unauthorized user access thus saving the unwanted traffic which previously put unnecessary load on the server causing extra penny to lose for nothing.
• Benefits are multifold when the DDOS protection from WAF is enabled – which helps SPC account to rightfully identify the spoofer and blocking them from IP spoofing thus saving SPC account from exploiting. Also, it helps from unnecessary exploitation of TCP connections pool resulting legitimate users can now connect the application in time without any hassle.
• Nowadays piracy is the major challenge in all sector and learning portal like SPC was also a victim of this kind of malicious activity. But after implanting WAF rule for the Black-listed IPs it can now block all type of access from OFAC sanctioned countries and help SPC account to save their learning tutorial being pirated.