Incapsula and 'Origin Lock'

Forum Moderators: phranque

Message Too Old, No Replies

Incapsula and 'Origin Lock'

dpd1

10:14 pm on Jan 8, 2017 (gmt 0)

I just run a small biz site and I'm a bit of a noob with server issues. I recently just started using the CDN Incapsula, just to give me a bit more protection, and a simple way to shut down problem IPs and a couple countries that were a headache. I noticed they recommend doing what they call "origin block", which is apparently going through numerous steps to try and hide my origin IP/server space from attacks. Looking into it, this appears to be a bit laborious and over my head. It involves keeping up with all of Incapsula's changing IPs and updating from my end and such. Is this really necessary for me to do? As I said, I just run a simple static html biz site. I just wanted to cut down on bot attacks and such. I don't really have to be locked up like fort knox. It's not like I'm a huge corp that's a big target or anything. If I don't block my origin, it's not like I will technically be any worse off than if I wasn't on the CDN to begin with, right?

Thanks for any help.

keyplyr

12:27 am on Jan 9, 2017 (gmt 0)

As a general view... any time you block anything (IP (country) ranges, User Agents, request behavior, failed header fields) it is a mistake not to keep a diligent eye on your daily server logs to see just who is getting blocked. You will soon realize there are numerous down-sides to blocking with a broad brush.

The problem I see with letting any 3rd party (Incapsula, CloudFront, Cloudflare, et al) block your visitors, is they are not keeping watch. No one on their end is looking at who is actually being blocked and how that affects your interests, and since they distribute your file servers through their dynamic network, realistic server access log data is not even available.

dpd1

6:24 pm on Jan 9, 2017 (gmt 0)

Actually, the data they show as far as what's getting blocked is pretty detailed. There's countries where 99.99% of what's coming out of there was malicious. In over a dozen years, I have never had any sort of business dealings with them. I just don't see a reason to put myself through that, when virtually nothing positive comes from it.

lucy24

7:40 pm on Jan 9, 2017 (gmt 0)

There's countries where 99.99% of what's coming out of there was malicious. In over a dozen years, I have never had any sort of business dealings with them.

You could block visits based on their Accept-Language: header. The overwhelming majority of robots don't have the sense to send a fake-but-plausible header like English or French, so if someone claims to prefer Chinese or Russian they're most likely a botnet running off an infected machine. (And if they don't send the header at all, they're definitely a robot in any case.) If you're looking to exclude entire countries, you probably don't care about blocking legitimate search engines at the same time; if you do, you can easily make exemptions.

keyplyr

9:50 pm on Jan 9, 2017 (gmt 0)

you can easily make exemptions

Not the way he's letting the CDN do it, throwing the baby out with the bathwater.

Example: there are at least 2 large data miners using RU ranges. They supply data to several EU & US marketing companies that use this data to offer advertisers info about sites in their niche or where their ads may do well. Blocking all RU ranges would block these potential advertisers, directly affecting your income if you use Adsense or similar. That's just one example.

This is a world stage. Blocking countries is a naive way of looking at things. Perps can use ranges from any country, any location. A malicious agent in Vietnam can easily use servers in France, US or Canada, etc.

lucy24

12:33 am on Jan 10, 2017 (gmt 0)

Not the way he's letting the CDN do it

I thought part of the original question was whether it's appropriate to use this CDN at all, if OP's main purpose is access control.

In any case: Even in this day and age, most robots are still extremely stupid. You can go a long way with rules that build on this simple premise.

Personally I wouldn't block Russia categorically. (China, yes. So shoot me. I am also annoyed by India, but this has more to do with chronically stupid humans* than robots.) Which reminds me that in the course of looking something up, tangential to this thread, I learned that some legitimate Yandex bots--especially mobile--claim to speak Turkish instead. Makes sense, I guess.

* As in: �Did you even look at the SERP snippet? Do you know what it's for? How 'bout the name of the page? For ### sake, why would you think my page is a match for your query?�

dpd1

12:48 am on Jan 10, 2017 (gmt 0)

I'm not using AdSense. I sell direct. I have never sold a single item to anyone in the countries I have blocked, in over a dozen years. I understand that people *could* do a lot of things to circumvent this setup. However, all I've seen coming in from those places since they were blocked, are hundreds of malicious attempts that have been stopped. Pretty much 99.99% malicious. I have to run a whole manufacturing business on top of this. I just don't have time to spend countless hours a month waging a war against all of this stuff. I spent an entire weekend trying to compile the massive list of IPs that were flooding my site with garbage. I finally gave up and went with the CDN. I only have a shared host. There's only so much I can do on my own. I seriously doubt this will have any adverse effect. In fact, my analytics already look better. All I wanted to know is if hiding the origin server was imperative, but I guess not.

keyplyr

1:19 am on Jan 10, 2017 (gmt 0)

I have never sold a single item to anyone in the countries I have blocked

Point is, there's more to it than that... there are more layers. In the example I gave, it showed that data scraped by one agent, supplied data to other agents that can be beneficial to you. This is not limited to Adsense.

I block several thousand IP ranges, but allow hundreds of beneficial agents that come from those ranges. Beneficial agents will likely be different for each webmaster depending on your business interests. You may not even be aware of some of these agents until researched who they are and what they do. Blocking countries with a broad brush you'll never know.

RE: Origin Lock - CDN's package these "security" features into products to sell their customers. But every time you block or hide, you are blocking & hiding from both the bad guys & the good guys.