IP Blocking with Brute Force - Load Balancer

IP Blocking with Brute Force - Load Balancer

  

Hello,


When dealing with Environments configured with Load Balancers and Applications exposed to the Internet, we want to use Outsystems Brute force prevention to block not only username / password attempts but also to block IP address's that are forcing applications access.

Using a Load Balancer, the requests executed agains't the Frontend Servers are using the Load Balance IP Address and not the Client IP. I assume that if an attack is executed against the Environment, the LB IP Address will be blocked leading to a global user blocking mechanism. To avoid this, we could add the IP Address from the LB to our Environment Network Security: "ServiceCenter/Environment_NetworkSecurity.aspx"

But this can also affect the IP blocking since the Client IP can be missing (only if we add the 'x-forwarded-for' header field or something related to this - and is Outsystems taking these fields into consideration?), leading to an unblock mechanism from this IP Address.


Question

How does Outsystems is supporting the Brute Force prevention when dealing with this common Architecture configuration?

It would be nice to get this well described so we can act uppon this.



Extra Info

Load Balancer - Outsystems Best Practices:

https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/Load_Balancing_OutSystems_Applications/01_Recommended_configurations_for_Load_Balancing

Outsystems Brute Force Prevention: (no Load Balancer guidness)

https://success.outsystems.com/Documentation/10/Managing_the_Applications_Lifecycle/Secure_the_Applications/Protection_against_Brute_Force_Attacks



Thank you. 




Hi,

When you say "are using the Load Balance IP Address and not the Client IP" it means that you are using the GetIP action of HttpRequestHandler extension?


Regards,

Bruno F. Cantante

Bruno Cantante wrote:

Hi,

When you say "are using the Load Balance IP Address and not the Client IP" it means that you are using the GetIP action of HttpRequestHandler extension?


Regards,

Bruno F. Cantante

You can see how this is used in the users space by opening a clone

Hi Miguel


You have a Site Property in the Users eSpace for those cases, I believe.


Hello,

Thank you for your feedbacks.

We can configure the Brute Force making into available by site property or environment configuration. But the situation is if the brute force works as expected when the Farm is configured with a Load Balancer.

In this case, we executed some tests related to this topic and all users were blocked automatically since the received IP in the FES's is the Load Balancer IP and not the Client IP Address. 

What we want to know is how we can block external (Client) IP Adresses without taking into account the Load Balancer.


Example:

Client executes a HTTP request to our Application. The Load Balancer receives this request and redirects the request to one of the internal Frontend Servers. For the internal FrontEnd servers, the IP from the Client is the Load Balancer IP Address. A solution seems to be related to the x-forwarded-for field that can be present in the header. I don't know if Outsystems takes that field into account in this scenarios.


Thank you.


Kind regards,

Miguel Sousa

Bruno Cantante wrote:

Bruno Cantante wrote:

Hi,

When you say "are using the Load Balance IP Address and not the Client IP" it means that you are using the GetIP action of HttpRequestHandler extension?


Regards,

Bruno F. Cantante

You can see how this is used in the users space by opening a clone

Hello Bruno,

Yes, Users are using the GetIp that will return the LB IP address and not the Client IP that executed the request. I didn't read the complete code but It would be nice to have a clear picture from Outsystems regarding this topic (also explained in the Help or support documentation) since it's part of the security topics that normally are critical for Online Apps.


Thank you for your feedback.


Miguel Sousa wrote:

Bruno Cantante wrote:

Bruno Cantante wrote:

Hi,

When you say "are using the Load Balance IP Address and not the Client IP" it means that you are using the GetIP action of HttpRequestHandler extension?


Regards,

Bruno F. Cantante

You can see how this is used in the users space by opening a clone

Hello Bruno,

Yes, Users are using the GetIp that will return the LB IP address and not the Client IP that executed the request. I didn't read the complete code but It would be nice to have a clear picture from Outsystems regarding this topic (also explained in the Help or support documentation) since it's part of the security topics that normally are critical for Online Apps.


Thank you for your feedback.



Your platform solution is a PaaS Solution?


The GetIP action gets ip of the header request, i think not is supposed lb change this content

Hi Miguel,

You are correct, when enabling BruteForcePerIp the address blocked will be the LoadBalancer's address. 

I believe this is an environment configuration issue. You can find a configuration called Trusted proxy addresses in ServiceCenter > Administration tab > Security > Network Security where you can add the LoadBalancer address.

 As it states in the help note: List of IP addresses or ranges of addresses for proxies that inject X-Forwarded-For headers and must be respected by the platform (as load balancers). Leaving the field empty means the platform will not look at the header.

Add the LB address to that configuration, republish the module (as a safety measure, caches are always a problem) and repeat the test.

Hi Hélder Gregório,

Thank you for your feedback.


Ok, I will make sure we have the x-forwared-for header with the Client IP address. 

Can you please provide me the Link of that statement?

I will mark that answer as the right one after trying this configuration.


Thank you!


Kind regards,

Miguel Sousa


You mean the help note I just mentioned? You can find it on this page:


I acknowledge that this should be mentioned on the documentation that you shared. I'll make sure this is referred on those links