Skip to content

Creates and updates a DynamoDB database with a list of blacklisted IP addresses from public RBLs

Notifications You must be signed in to change notification settings

hcentive/waf-update-ipdatabase

Repository files navigation

waf-update-ipdatabase

AWS Lambda function that creates and updates a DynamoDB database with a list of blacklisted IP addresses from the following public RBLs -

  • Alienvault OTX
  • Tor Exit Nodes

Design

AWS Web Application Firewall (WAF) filters web traffic before it hits the origin. WAF is a managed service that is deployed outside the VPC. So, it is a logical place to verify requests before they reach the VPC.

Several security focussed organizations publish reputation lists with IP addresses of bad actors. Some popular ones are

An aggregated collection of bad IP addresses is maintained in a DynamoDB database that is updated frequently using this utility. DynamoDB Streams are enabled on the table to trigger the waf-update-blackist Lambda function to update the IP blacklist with any changes to the DynamoDB table.

WAF Update Design

NOTE: A decoupled design is implemented to enable support for other web application firewalls. For example, updating an blacklisted IPs data group in F5 load balancer; or, update the banned IPs list in Brocade's Virtual Traffic Manager.

Configuration and Installation

The plugin is implemented in Node.js. The following components are required to run this plugin -

  • git
  • nodejs (6.10)

Check out the repository from git -

$ git clone https://github.com/hcentive/waf-update-ipdatabase

Go to the waf-update-ipdatabase directory. Rename alienvault.json.template to alienvault.json.

$ cd waf-update-ipdatabase
$ mv conf/alienvault.json.template conf/alienvault.json

Update configuration attributes with your Alienvault OTX API credentials. Replace YOUR_API_KEY with your OTX API key from Alienvault.

{
  "alientvaultRBL" : "https://otx.alienvault.com/api/v1/pulses/subscribed",
  "otx_host" : "otx.alienvault.com",
  "otx_api_key" : "YOUR_API_KEY",
  "otx_start_path" : "/api/v1/pulses/subscribed"
}

Install dependencies

$ npm install -g

Create a Lambda deployment package by zipping contents of the waf-update-ipdatabase directory into a single zip file

$ zip -r waf-update-ipdatabase.zip .

Create the Lambda function using the CLI. An IAM role with permissions to create DynamoDB tables and insert/update/delete items is necessary to execute this Lambda function. Depending on the execution time and memory consumption, the --timeout and --memory-size parameters may need to be specified as well.

$ aws lambda create-function \
--region us-east-1 \
--function-name waf-update-ipdatabase \
--zip-file fileb://waf-update-ipdatabase.zip \
--role waf-update-ip-database-execution \
--runtime nodejs6.10 \
--handler exports.handler

The Lambda function can be invoked manually to test it.

$ aws lambda invoke --function-name waf-update-ipdatabase result.txt

The function should be scheduled to update the database frequently.

License

Apache license

About

Creates and updates a DynamoDB database with a list of blacklisted IP addresses from public RBLs

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published