Dream11 logo
Engineering
Back to the blog

Enhancing security and trust with AWS WAFv2

Published on

Web Application Firewall (WAF) is considered a critical part of an effective security solution that offers website security and strengthens the overall security posture. The end goal for any web application Firewall is to protect the application against:

  • Known vulnerabilities and threats
  • Identification of and protection against bad bots
  • Protection against Distributed Denial of Service (DDoS) attacks
  • Real-time intelligence to block blacklisted source
  • Geolocation Enforcement

As the world’s largest fantasy sports platform with 110 million+ users, we at Dream11 run multiple contests simultaneously while maintaining optimum user experience and efficiently process millions of user requests per minute. Our user-first and data-driven teams have made it their priority to ensure that the Dream11 app remains protected against common as well as advanced threats and vulnerabilities. In this blogpost, we will explain how AWS WAF has helped us to do so and why we switched from AWS WAF classic to AWS WAFv2 for better manageability and more visibility.

How does WAF work?

Web Application Firewall is configured between client and web server. For every request from the client, WAF inspects and checks for any WAF rules that match to the requests. If a particular request matches the WAF rule. For example, in the Cross-Site-Scripting payload as shown in the diagram above, the request will be blocked by WAF and it will not reach the Application Server. WAF also supports putting specific rules into count mode/monitor mode where requests will not be blocked but they will be tagged differently to understand how the rules works.

AWS WAF is a prebuilt service provided for protecting applications that are hosted on the AWS cloud. It can be deployed on the following sources:

  • Amazon CloudFront distribution
  • Application Load Balancer
  • Amazon Application programming interface (API) Gateway REST API
  • AWS AppSync GraphQL API

AWS WAF comes with two different versions:

  • AWS WAF classic
  • AWS WAFv2 (Introduced in Nov 2019).

Why AWS WAFv2 ?

AWS WAF classic is powerful and can protect against common attacks. However, there are many improvements in AWS WAFv2 over the AWS WAF classic which add more powers to handle malicious attacks more efficiently.

After considering all new enhancements offered in WAFv2, we decided to migrate our WAF classic to the new AWS WAFv2. There are two ways to do so.

Option 1: Using Migration Wizard

Option 2: Manually create new WAF rules & Conditions

The Challenges:

  • The migration wizard can migrate only unique rules across all WebACls. Also, it cannot migrate WebAcls across AWS Accounts
  • Manual migration requires setting up everything (including rules and conditions) from scratch, which was too complicated and time consuming for us.

Our Solution:

We took a hybrid approach which includes the use of the migration wizard and a little manual work to solve this problem.

First, we migrated all unique rules with the wizard across all the WebAcls. Then, we got the JSON code for common rules and imported JSON across all the WebAcls as per requirements. WAFv2 supports visual consoles as well as JSON editors for creating new WAF rules and conditions. We just required importing the JSON of the common rules and created new customized JSON rules across the AWS accounts.

Things to consider while migrating using Migration Wizard:

  • Only web ACL can be migrated within the same AWS account
  • If multiple web ACLs share the same resources like IP sets and regex, they will be duplicated under the new WAF
  • Rate-based rules can not be migrated
  • Managed rules from the AWS marketplace can not be migrated
  • Logging for web ACLs will be disabled by default
  • Configured cloudwatch alarms in WAF classic require the metric name modification
  • AWS WAF Security Automations lambda and functions need to be updated manually.

If you’d like to know more about AWS WAF, click here.

To join the Dream Team and work on exciting projects with us, click here.

Authors

Written by

Previous Article

Lessons learned from running GraphQL at scale

Next Article

Turf- Designing the rules of play!

Tags

SecurityAWS

Related Blogs

Player Pricing
With Dream11 hosting around 10,000+ matches every year on its platform, have you ever wondered what all goes behind hosting these matches? It starts from deciding the match to host, generating the credit of players (keeping the user’s perspective in mind) and taking the match live - the whole picture is much bigger. In this blog we will take you through the whole process of assigning credit to players for individual matches, what data goes behind it, what were the considerations for automating the process and how through data driven intelligence this automation was achieved. We will also discuss the benefits of doing this automation from operational and business POV.
June 21, 2023
Deployment At Scale: Story Behind Dream11's In-House Blue-Green Deployment Platform ‘OneClick’.
As a part of the agile-based development revolution, organizations have believed in rolling small and quick changes into the market. The theory of building fast-shipping fast plays a significant role in upgrading any product by rolling the features with very little time to market. However, this burdens the tech team’s efficiency in allocating dedicated human resources to ensure these changes seamlessly live onto the application on a frequent basis.
January 3, 2022
Observability at Scale: How we built a cutting-edge Dream11 monitoring ecosystem ?
As the world’s largest fantasy sports platform, Dream11 has over 120 million sports fans participating in exciting fantasy sports contests to showcase their skill and knowledge in various sports! With so many users using the app at a given time, our traffic pattern can get very spiky in nature. It can go from thousands of concurrent users to millions in just a few minutes!
November 30, 2021