Sunray Group

AWS-WAF-Service
Industry Vertical – Hospitality

The Client

Sunray Group is a family-owned, multifaceted corporation specializing in hospitality and development. Sunray believes in the strength of brand equity. The group is successfully building an ever-increasing portfolio of award-winning brands, which include Marriott, Starwood, Hilton, Radisson, Best Western, IHG, Wyndham and Choice Hotels. They have also developed prominent brands such as Tim Horton's, McDonald's, Fionn McCool’s, Shell and Petro Canada.

The Challenge

Being the most visited part of their entire digital infrastructure. Our client is one of the biggest developers in the region, and they are naturally exposed to all kinds of attacks and efforts to compromise their systems. It was imperative that the infrastructure is protected with all resources at hand so that there is no downtime and that the attacks are prevented. It was observed that there had been multiple instances of Denial-of-Service attacks, probe for operating system and application vulnerabilities and attempted SQL injection attacks.

The Solution

We recommended the customer leverage AWS WAF, which is a web application firewall to enable them create custom, application-specific rules that block common attack patterns that could affect the digital estate availability and compromise security. The Top 10 OWASP WAF rules provided by AWS was used as the base. All the preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL) was selected. Once the solution was deployed, AWS WAF began inspecting web requests to the user’s existing Amazon CloudFront distributions or Application Load Balancers and blocked them when applicable.

How The Environment Is Protected

The AWS WAF was configured with a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that was pre-defined.

The AWS WAF is used to protect the environment against common web exploits which could affect workload availability and performance, compromise security, or consume excessive resources.

To customize the WAF, we used a combination of AWS pre-defined rules as well as wrote customized rules that helps protect the customer environment against attacks that are specific to the region or workload.

Manual IP lists (Whitelist and Blacklist) : This component creates two specific AWS WAF rules that allowed us to manually insert IP addresses that we want to block or allow.

SQL Injection Attacks: The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.

HTTP flood: This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt.

Scanners and Probes: This component parsed application access logs searching for suspicious behaviour, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time.

IP Reputation Lists: This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.

Bad Bots: This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.

Benefits

The WAF security automations implemented based on OWASP Top 10 rules were able to block 90 percent of all non-legitimate traffic as compared to before the AWS WAF was deployed with the rest being blocked by application specific controls. Traffic to and from the infrastructure was monitored and is visible near real time with the AWS WAF, AWS Application Load Balancer (ALB) and Amazon CloudFront logs and Amazon CloudWatch logs. We also customized the access of specific applications/user by means of Whitelisting/Blacklisting and rate limiting features. There were repeated Denial of Service attempts from certain IP’s coming from certain countries, so country level blocking for varying time or Gray listing was automatically enabled.