Build your own Artificial Intelligence (AI) and Machine Learning (ML) to block robots at Application Gateway

You can always buy 3rd party services to provide web application firewall (WAF) like capability as you can focus on core business competencies. Nonetheless, it’s would not hurt to know how you can use Azure native services to build your own Artificial Intelligence to block the bad actors. In this simple example, we will learn the behaviors, identify the bad actors and block them by adding deny nsg rule. Let’s jump into action!

First, we are going to use Azure Diagnostics logs to find top callers requesting the resources and capture those source IP’s.

AzureDiagnostics| where ResourceType == "APPLICATIONGATEWAYS"| where OperationName == "ApplicationGatewayAccess"| extend domain = extract("^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}",0, clientIP_s) | summarize number= count() by domain| order by number desc, domain

Next, let’s find out what resources are being requested from those IP addresses. We dropped the last octet from ip address to expand the range for this sample.

AzureDiagnostics| where TimeGenerated >= now(-24h)| where Category == "ApplicationGatewayAccessLog"| where  clientIP_s contains "202.162.19" | project TimeGenerated, clientIP_s , httpMethod_s , httpStatus_d , requestUri_s, sslEnabled_s  

What do you think these guys are doing? They are calling for non-existent resources and probing for vulnerable resources so that they can exploit! This is a dotnet core API and they have no business looking for php’s! We are convinced by looking at the behavior, this is a bad guy. You can use whois service to see who owner/renter of those ip’s. They have no business to call our resources, let’s automate the NSG attached to App Gateway and block them.

Here is the NSG attached to our App Gateway subnet

NSG applied at app gateway subnet

Let’s modify the inbound rules and deny those IP ranges

Deny rule at the nsg

Wait for a day or two. You would no longer see those ip’s calling your resources. Are you happy? Not really! Bad actors moved their apartment and moved to another hosting provider! This is a cat and mouse game. You have to continuously tune the logic to learn the behavior and automate the process to modify the deny rule at the nsg- until those bad actors go elsewhere.

Welcome to Artificial Intelligence (AI), Machine Learning (ML) and Automation. :)-

Leave a Reply