Protecting Your WAX Blockchain RPC Endpoints from DDoS Attacks and Abuse

bountyblok
7 min readAug 26, 2024

--

Photo by Ant Rozetsky on Unsplash

Introduction

As a WAX Block Producer or RPC provider, ensuring the security and reliability of your endpoints is crucial. Public endpoints, such as https://api.wax.bountyblok.io/, are targets for malicious activities such as spamming and DDoS attacks. This guide provides a detailed approach to securing your WAX RPC endpoints using various techniques and tools.

1. Rate Limiting and Quotas

NGINX Rate Limiting

NGINX is a powerful tool that can act as a reverse proxy and load balancer with built-in rate limiting capabilities.

Install NGINX:

sudo apt-get install nginx

Configure Rate Limiting:

http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server {
listen 80;
server_name api.wax.bountyblok.io;

location / {
limit_req zone=one burst=5 nodelay;
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}

HAProxy Rate Limiting

HAProxy can also be configured to limit the rate of incoming requests:

Install HAProxy:

sudo apt-get install haproxy

Configure Rate Limiting:

Edit your HAProxy configuration file (e.g., /etc/haproxy/haproxy.cfg):

frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/your_cert.pem
default_backend http_back

acl rate_limit_exceeded src_http_req_rate(10s) gt 10
http-request deny if rate_limit_exceeded

backend http_back
balance roundrobin
server server1 127.0.0.1:8080 check

Using iptables-persistent for DDoS Protection

While NGINX and HAProxy provide robust solutions for rate limiting, another layer of defense can be established at the network level using iptables. iptables is a powerful tool for configuring the Linux kernel's firewall, and iptables-persistent allows these rules to be saved and reloaded automatically on reboot.

Configuring iptables-persistent

iptables can be used to block or limit traffic from specific IP addresses or ranges, making it a useful tool to mitigate DDoS attacks or prevent abuse of your WAX RPC endpoints. Below is an example of how to set up basic rate limiting using iptables.

# Create a new chain for rate limiting
iptables -N RATE_LIMIT

# Set the default return action
iptables -A RATE_LIMIT -m limit --limit 10/min -j RETURN

# Drop connections that exceed the limit
iptables -A RATE_LIMIT -j DROP

# Apply rate limiting to incoming HTTP requests on port 80
iptables -A INPUT -p tcp --dport 80 -j RATE_LIMIT

# Save the rules
iptables-save > /etc/iptables/rules.v4

This configuration will drop any connections exceeding 10 requests per minute, effectively providing another layer of protection against excessive requests. For SSL/TLS traffic, you can replicate the same rules for port 443.

To simplify the process, you can use a script created by an OG community developer and Block Producer, cc32d9, which automates the setup of iptables rules specifically tailored for WAX RPC endpoints. You can find the script here.

2. IP Reputation Management

To protect your WAX RPC endpoints in real-time, you can dynamically assess the reputation of incoming IP addresses and block those deemed malicious. This involves integrating IP reputation checks directly into your server’s request-handling process.

Real-Time IP Reputation Check and Blocking

Instead of manually updating a blocklist, you can automate the process by integrating a real-time IP reputation check directly into NGINX. This can be done using an external script or service that intercepts incoming requests, checks the IP’s reputation, and then either allows or blocks the request based on the result.

Python Script for Real-Time IP Reputation Check:

Here’s a Python script that could be used as a middleware to check IP reputation:

import requests
from flask import Flask, request, abort

app = Flask(__name__)

def get_ip_reputation(ip):
response = requests.get(f'https://api.ipgeolocation.io/ipgeo?apiKey=YOUR_API_KEY&ip={ip}')
data = response.json()
return data['threat']['is_threat']

@app.before_request
def check_ip_reputation():
ip = request.remote_addr
if get_ip_reputation(ip):
abort(403) # Block the request if IP is flagged as a threat

@app.route('/')
def hello_world():
return 'Hello, World!'

if __name__ == '__main__':
app.run()

This script uses Flask as a web server that checks the reputation of each incoming IP request before allowing it to proceed. If the IP is flagged as malicious, the request is blocked with a 403 Forbidden response.

Integrating with NGINX:

You can deploy the above script as a service and configure NGINX to proxy requests through it before passing them to your main application.

NGINX Configuration:

server {
listen 80;
server_name api.wax.bountyblok.io;

location / {
# Pass the request through the reputation-checking service first
proxy_pass http://127.0.0.1:5000; # Flask service running on port 5000
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

In this setup:

  1. Proxy Requests to the Flask Service: NGINX proxies incoming requests to the Flask service running on 127.0.0.1:5000.
  2. Real-Time Reputation Check: The Flask service checks the IP reputation in real-time using the ipgeolocation API.
  3. Block or Allow Requests: If the IP is flagged as a threat, the Flask service returns a 403 Forbidden response, and the request is blocked. Otherwise, the request is passed on to your main application.

Considerations:

  • Performance Impact: Real-time IP checks can introduce latency, especially if the external IP reputation service is slow. Consider caching results or using a local database to reduce repeated API calls.
  • Rate Limits: Be aware of any API rate limits imposed by the IP reputation service and implement strategies to stay within those limits, such as request batching or using multiple API keys.

3. Advanced Bot Protection

To protect your WAX RPC endpoints from sophisticated automated attacks, implementing advanced bot protection is essential. Cloudflare Bot Management offers a powerful solution by using machine learning and behavioral analysis to detect and mitigate harmful bot traffic.

Cloudflare Bot Management

Steps to Enable Bot Management:

  1. Log in to Cloudflare: Access your Cloudflare account. If you don’t have one, set it up and point your domain to Cloudflare’s DNS.
  2. Go to the “Firewall” Section: In the dashboard, navigate to “Firewall” and enable “Bot Management.”

Creating Firewall Rules:

  1. Navigate to “Firewall Rules”: Under the “Firewall” tab, select “Create a Firewall Rule.”
  2. Set Conditions: Use the expression (cf.bot_management.score < 30) to identify and handle suspicious traffic.
  3. Choose an Action: Define the action — Challenge or Block — for requests with a bot score below 30, which are likely to be malicious.
Field: cf.bot_management.score
Operator: Less Than
Value: 30
Action: Challenge or Block

4. Save and Deploy: Activate the rule to enhance your bot protection.

Monitoring and Adjusting:

We useCloudflare’s advanced bot management, and can confirm it has been quite effective in safeguarding our WAX RPC endpoints from automated attacks.

4. Behavioral Analysis and Anomaly Detection

Machine Learning Models

Implement machine learning models to detect and block anomalous behavior patterns.

Usage Pattern Analysis

Monitor usage patterns for anomalies such as unusually high request rates or access patterns that deviate from typical user behavior.

5. IP Whitelisting and Blacklisting

Whitelist Trusted IPs

Allow only known, trusted IP addresses to access sensitive endpoints.

server {
listen 80;
server_name api.wax.bountyblok.io;

location / {
allow 192.168.1.0/24; # Replace with your trusted IP range
deny all;
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

Blacklist Malicious IPs

Deny known malicious IP addresses.

server {
listen 80;
server_name api.wax.bountyblok.io;

location / {
deny 203.0.113.0/24; # Replace with known malicious IP range
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

6. Monitoring and Alerts

Prometheus and Grafana

Prometheus is a powerful monitoring system that scrapes and stores metrics, while Grafana provides visualization tools for these metrics, allowing you to create dashboards and set up alerts.

Install Prometheus:

sudo apt-get update
sudo apt-get install prometheus

For detailed installation instructions, refer to the Prometheus documentation.

Install Grafana:

sudo apt-get install -y software-properties-common
sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main"
sudo apt-get update
sudo apt-get install grafana
sudo systemctl start grafana-server
sudo systemctl enable grafana-server

For more information, check the Grafana installation guide.

Configure Prometheus to Scrape Metrics:

Next, configure Prometheus to scrape metrics from your services. Edit the Prometheus configuration file (/etc/prometheus/prometheus.yml):

global:
scrape_interval: 15s

scrape_configs:
- job_name: 'nginx'
static_configs:
- targets: ['localhost:9113']

For configuration details, visit the Prometheus configuration documentation.

ELK Stack (Elasticsearch, Logstash, Kibana)

The ELK Stack is a set of tools used for searching, analyzing, and visualizing log data in real-time, making it easier to detect unusual patterns that might indicate bot activity or security issues.

Install Elasticsearch:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update
sudo apt-get install elasticsearch
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

For more details, visit the Elasticsearch installation guide.

Install Logstash:

sudo apt-get install logstash
sudo systemctl start logstash
sudo systemctl enable logstash

You can find more information in the Logstash installation documentation.

Install Kibana:

sudo apt-get install kibana
sudo systemctl start kibana
sudo systemctl enable kibana

For detailed installation steps, see the Kibana installation guide.

By setting up these tools, you can continuously monitor your infrastructure, visualize key metrics, and analyze logs to detect and respond to potential threats in real-time.

Conclusion

Securing your WAX RPC endpoints from botnets and spammers requires a multi-layered approach. Implementing rate limiting, IP reputation management, advanced bot protection, and monitoring can significantly enhance the security and reliability of your endpoints. By following the steps outlined in this guide, WAX Block Producers and RPC providers can protect their valuable resources and ensure a stable and secure service for their users.

To find out how you can easily and quickly incorporate bountyblok into your project, we’d love to hear from you:

Website | Telegram | Twitter | Email

--

--