Authentication Test Blog

Home-Rolling WAFs are Fun

2025/09/24 @ 10:45 by Robert Lerner

My home-rolled WAF I talked about in the last blog worked really well, it mitigated a ton of noise / attacks and has kept the site online. But I realized I just don't have the time it needs to take care of the constant abuse of the site -- and there are services out there that can help. Enter Cloudflare. Pretty cool technology, I was able to actually roll-back some of the protections I was using by moving this site to a new machine and throwing Cloudflare in front of it. Now, I can create rules that protect my web app from ever seeing the noise from the wider internet.

This should allow more interesting inputs and actions... But it is still a WAF. If you run into any issues with the site during your use, let me know in the Contact Us page so I can understand your use case and consider adjusting.

Web Application Firewall, DDoS, and Downtime

2025/03/04 @ 23:17 by Robert Lerner

On March 2nd, this site received over 440,000 requests from numerous IP addressess from compromised (botnetted) devices. This service has never harvested user information or usage, has never charged a cent to operate, and has never pulled a Wikipedia and begged for money. I fully fund the development, maintenance, improvement and hosting costs myself because I know this is a useful tool.

I use cheaper cloud services to host this, and do not typically experience DDoS attacks (meaning I can just block an IP and move on when I get hit). So the site was down for a bit -- but that went longer, because real life happens and I left the site down while I took care of real life.

Starting yesterday, the 3rd, I've implemented some security measures:

Blocking of some international characters and character sets -- This means if you send specific characters to the service, it will be discarded
Blocking of specific user characteristcs -- If your device presents information consistent with current security best practices, it will be discarded

I have also blocked a handful of IP addresses, but not those previously attacking. It is important to me that I keep the site open for people to test scripts and perform smoke tests of their applications. If your use case is impacted by my change, I'd like to get in touch -- I can add exemptions or even remove rules.

For this reason, I've added both this new blog page, as well as the Contact Us page. I'd also like to hear about new auth technologies you'd like to practice against.