Wafris is the open-source Web Application Firewall that works with your web framework to protect your sites from dark traffic, intrusions, and attacks.
We're trying to make managing the security of your web apps as automatic as possible. One way we accomplish that is with rulesets: collections of rules specific to threats, frameworks, and goals.
We analyzed the traffic of one of our beta users after they put Wafris on their production site.
- 50% AI Bots scraping the site
- 35% SEO Bots scraping the site
- 15% Legit traffic
A ton of good feedback and questions have been making it our way after publishing our RailsWorld 2023 recap post.
We're always happy to chat with other dev-focused founders about these things. Feel free to DM
@rmcastil
or
@mbuckbee
Can you tell what this bot is doing? (see screenshot)
Answer: it’s a bot using 🇨🇳 Chinese proxy servers, probing for compressed, manually backed-up copies of the site that are kept on the server.
Backups that might have API keys, ENV files, or other high-value targets.
It’s essential to recognize that bots going directly for the jugular aren’t playing around but exhibiting direct hostile intent.
Here, the second screenshot shows where a single bot (proxied through the US, UK, and Latvia) is ripping through 27 exploits in 3 seconds.
3/3
Seems like a good time to announce publicly that we're going to have our Laravel client out very soon (we're still looking for some more beta testers) and are working on a Pulse card for it.
Introducing Laravel Pulse. 💓
Pulse delivers at-a-glance insights into your production application's performance and usage. Track down slow jobs and endpoints, find your most active users, and more.
Next week on GitHub. A gift from Laravel to you.
@rskopecek
@_swanson
Yeah, that's pretty much the case across the board for "public" sites, API/backend sites see fewer (but often more concerning attacks). One of our early users saw a 95% bandwidth savings as their site was so ridden with bots.
Why do bots request random seeming images, js and CSS files on your site? (And they do; go look in your logs).
They released free/open source themes into the wild that contain backdoors and exploits.
The requests identify sites with the compromised themes.
@jlogic
@mbuckbee
They don't (because most don't trigger js) - which is a separate problem as it's very misleading as to what your actual traffic hitting your site is.
🤖 Bots are learning too quickly. They now scrape for domains, names, and emails to enhance their probing abilities.
Here's a screenshot (from our dashboard) of a 🇨🇳 Chinese bot (based on path requests) making proxied requests through a 🇹🇷 Turkish IP.
1/2
@DouTatsu
We’re pretty close. Want to wrap up some things before fully turning on self service. Two weeks tops but are trying to have it done this week.
How to spot fakes? One of the easiest ways is to check the "age" of the browser version, given that most are now constantly updated, and older versions stick out. Then there's this Chinese botnet (see screenshot)