How do I resolve requests with unknown domain names on my Application Load Balancer in ELB?

4 minutos de lectura
0

I want to resolve requests with unknown domain names on my Application Load Balancer in Elastic Load Balancing (ELB).

Short description

ELB monitors and manages load balancers that handle client requests. Based on traffic to your application, ELB updates the DNS record of the load balancer when it scales. These updates allow IP addresses of new resources to be registered in the DNS record. The DNS entry also specifies the time-to-live value (TTLS) of 60 seconds. It's a best practice use your DNS service to create a CNAME record to route queries to your load balancer. You can also use Amazon Route 53 to use an alias record set. For more information, see Routing traffic to an ELB load balancer.

If IP addresses are specified with an A record in DNS or are publicly accessible, then they can receive HTTP requests. HTTP requests can be received from any host on the internet such as malicious sources, bots, and random requests set to an incorrect IP address.

Resolution

To resolve requests with unknown domain names on your Application Load Balancer, use one of the following methods:

Monitor your Application Load Balancer access logs and block unknown sources

To monitor your Application Load Balancer access logs for requests to the unrecognized domain, check the client:port and user_agent fields. These fields show you more request details such as where the request originated from.

To make sure that your application receives traffic only from your domain, use the host header listener rule. When you use this rule, if none of the listener rules match the client request host header, then the default listener rule applies.

Also, for an immediate solution, block client IP addresses that generate requests for an unknown domain. Make sure that you block the IP addresses in the network access control lists (ACL).

Use AWS WAF

When you integrate with AWS WAF, requests to specified domains that you configure are routed to your Application Load Balancer target. To integrate with AWS WAF, complete the following steps:

  1. Create a web ACL.
  2. Associate your web ACL with your Application Load Balancer.
  3. Open the AWS WAF console.
  4. On the Add rules and rule groups page, choose Add rules > Add my own rules and rule groups > Rule builder > Rule visual editor.
  5. For Name, enter the name that you want to use to identify this rule.
  6. For Type, choose Regular rule.
  7. For If a request, choose doesn't match the statement (NOT).
  8. On Statement, for Inspect, select the dropdown list, and then choose Single Header. When you choose Header, specify host as the header that you want AWS WAF to inspect.
  9. For Match type, choose Matches regular expression. This allows AWS WAF to match a request component against a single regular expression (regex).
  10. For Regular expression, specify the strings that you want AWS WAF to search for. For example, enter ^.*example.com$|^.*test.com$. AWS WAF will inspect the host header in web requests for the regex value that you specified.
  11. For Text transformation, set to None.
  12. For Action, select the action that you want the rule to take when it matches a web request. For example, choose Block and leave the other choices as they are.
  13. Choose Add rule.

Use AWS Network Firewall to block requests with unknown domain names

Network Firewall supports domain name stateful network traffic inspection. You can create allowlists and denylists with domain names that the stateful rules engine looks for in network traffic. With a domain allowlist, the firewall passes HTTP or HTTPS requests only to specified domains, and requests to non-specified domains are dropped.

To use Network Firewall to block requests with unknown domain names, see How do I configure my Network Firewall rules to block or allow specific domains?

Report Abuse

If you suspect that an AWS resource is used for abusive or illegal purposes, then use the Report Amazon AWS abuse form. Make sure that you provide the network logs that show the abusive activity and include the source, target IP addresses, ports, and timestamps. For more information, see How do I report abuse of AWS resources?

Related information

Configure a custom domain name for your Classic Load Balancer

OFICIAL DE AWS
OFICIAL DE AWSActualizada hace 3 meses