如何使用 Cloud Armor 和 Load Balancer 保护您的 GCP 应用免受不良机器人的侵害?

How to protect your GCP apps from bad bots using Cloud Armor and Load Balancer?

我有 Google Cloud Platform 负载平衡器作为我的 运行 服务的 CDN 和入口点。

据我所知,即使没有自定义 Cloud Armor 规则设置,GCP 负载均衡器也能提供开箱即用的 DDoS 保护。

它是否还包括一些保护措施以防止“恶意机器人”窃取信息或发送垃圾邮件?

如果没有,我们是否可以使用 Cloud Armor 设置一些规则来保护 GCP 服务免受此类机器人的侵害?

由于您的问题非常广泛且不是很精确,我将仅指出 Cloud Armor 的一些主要功能和优势,并向您指出一些有用的文档,这些文档将帮助您了解如何使用配置和使用它。

Cloud Armor 主要特点是:

  • Benefit from DDoS protection and WAF at Google scale
  • Detect and mitigate attacks against your Cloud Load Balancing workloads
  • Adaptive Protection (Preview) ML-based mechanism to help detect and block Layer 7 DDoS attacks
  • Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud

WAF is a set of web application firewall rules that you can configure to protect your resources. Rules are written in a CEL language 因此请查看此文档以帮助您了解它们的工作原理。

Adaptive protection

helps you protect your Google Cloud applications, websites, and services against L7 distributed denial-of-service (DDoS) attacks such as HTTP floods and other high-frequency layer 7 (application-level) malicious activity. Adaptive Protection builds machine-learning models that do the following:

  • Detect and alert on anomalous activity
  • Generate a signature describing the potential attack
  • Generate a custom Google Cloud Armor WAF rule to block the signature

最后但并非最不重要的 - what is OWASP ?

OWASP stands for the Open Web Application Security Project, an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.

The Top 10 OWASP vulnerabilities in 2021 are:

  • Injection
  • Broken authentication
  • Sensitive data exposure
  • XML external entities (XXE)
  • Broken access control
  • Security misconfigurations
  • Cross site scripting (XSS)
  • Insecure deserialization
  • Using components with known vulnerabilities
  • Insufficient logging and monitoring

将它们结合在一起 Cloud armomor 为您提供了广泛的工具来保护您的基础架构免受您能想到的任何事情的影响 - 只要您能够理解 WAF 规则并掌握编写它们的技能。

您也可以尝试使用与Cloud Armor集成的Recaptcha Enterprise来挑战所有自动请求;

Google Cloud Armor provides effective management of automated clients' requests towards your backends through native integration with reCAPTCHA Enterprise. reCAPTCHA Enterprise uses advanced risk analysis techniques to distinguish between human users and automated clients. With the integration, reCAPTCHA Enterprise issues an encrypted token that contains the reCAPTCHA Enterprise assessment and associated attributes about the risk associated with the request. Google Cloud Armor deciphers this token without an additional request/response to the reCAPTCHA Enterprise server. Based on the token attributes, Google Cloud Armor lets you allow, block, or redirect the incoming requests.

这是一个 example of redirecting to reCAPTCHA:

You can redirect a request to reCAPTCHA Enterprise to assess the user and serve manual challenges if necessary, without any additional reCAPTCHA Enterprise implementation. When human users share the same signature (such as URL paths or other L7 signatures) as a bot or an abusive system, this action provides a way for them to prove they are human and gain access, rather than being blocked. Only users who pass the assessment can acquire an exemption cookie and gain access to your service.