The B2C Commerce platform's eCDN Web Application Firewall (WAF) Basics, Functionality and Benefits

Benefits:

• Additional application level security on storefront sites
• Access to WAF logs up to 7 days Configurable OWASP rule set
• Free value-added feature for eCDN customers
• Easy to use self-service tool in Business Manager

Functionality:

• As part of our eCDN DDoS mitigation offering, we will be offering an additional layer 7 protection to our customers via eCDN Web Application Firewall (WAF)
• The eCDN Web Application Firewall is designed to protect custom Production and Development storefront hostname from common code level vulnerabilities such as SQL injection attacks, cross-site scripting, and OWASP-identified threats targeting the application layer. 
• It is a value-added feature included in the Commerce Cloud eCDN at no additional charge.

What does it do?

• The eCDN Web Application Firewall (WAF) examines all engagements to a merchant’s site, these may be: normal shopper actions, bot traffic, or malicious requests.
• All requests to a storefront are made via HTTP/S (full site) and AJAX (small data snippets). 
• WAF performs a deep inspection of every request for all common forms of web traffic and filters out malicious traffic from real shoppers. 
• WAF identifies and isolates or blocks abnormal malicious traffic and prevents the threat from reaching the server. 
• Additionally, the eCDN WAF also inspects website addresses or URLs to detect anything out of the ordinary.

How does it do it?

• If a suspicious request is made against a merchant’s site, the eCDN WAF will evaluate the request and apply the merchant chosen action. 
• If the action is ‘challenge,’ the suspicious user will be shown a CAPTCHA page that will request them to submit successfully to continue accessing the page. 
• If the user fails to complete the CAPTCHA successfully, then WAF will ‘block’ any traffic identified as malicious before it reaches Commerce Cloud origin. 
• If the merchant chooses the ‘block’ action, the suspicious user will simply be blocked.

What is not covered in eCDN WAF?

• If there is a legitimate request (a bot placing an order properly) this is NOT something WAF would handle
• To prevent from fraudulent order attack, the best option would be to implement Captcha or Rate Limiter on order submission page or on the page BOT attack noticed

Please find details for handling undesired traffic like Bot/Automated/Script

• Due to the potential considerable after-market economy created by hype-event products, it is not uncommon for bots/scripts to be created and made available (for sale) prior to an event.  Such bot traffic can interfere with desirable shopper traffic, as well as negatively impact the performance of the storefront.  The following approaches can limit the effectiveness and impact of these automated bots/scripts.
  1. CAPTCHA/reCAPTCHA
     • As referenced above, CAPTCHA is a challenge-response system used to differentiate human requests from bot/script requests and only allow human (non-bot) shoppers the opportunity to purchase the hype-event product. Due to the challenge-response mechanism, automated scripts will fail the verification. 
     • When the CAPTCHA is implemented before the request, it reduces the impact of bot requests by preventing them from making requests to some of the more resource intensive operations (add to cart, checkout)
  2. Rate-limiting/Throttling/Filtering
     • Have in-place the ability to rate-limit/throttle requests made to the storefront and the ability to adjust the configuration in real-time. 
     • Because often times a bot/script will make a large number of requests in a short amount of time (much greater than that of human shoppers), throttling or rate-limiting incoming requests, when properly configured, will only impact bot/script requests and not impact human shoppers.
     • The platform eCDN and third party CDNs have the capability to rate-limit/throttle incoming requests based on a number of configuration parameters based on real-time analysis of incoming requests using a pre-defined set of rules.