Question

Exact response of DigitalOcean Firewall to repeated identical requests

Posted August 26, 2019 752 views
DigitalOceanFirewallDigitalOcean Cloud Firewalls

Problem

I have a web server with its own iptables firewall. I’ve recently added a DigitalOcean Cloud Firewall as an additional layer of protection, particularly for SSH which is now only accessible via a bastion.

Cloud Firewall config

Inbound

<redacted non-standard SSH port> bastion-only
80, all IPs, TCP
443, all IPs, TCP

Outbound

<redacted, hopefully not relevant>

Background

I host an app which is embedded in a major eCommerce platform. That embedding process means that customers, when logging into their stores on that platform, may submit to me an expired access token. I reallocate the token, respond and they resubmit. Because it’s iframed and brokered by the eCommerce platform, this can legitimately happen several times in a row (4 legit requests) that eventually culminate in a successful login.

Hypothesis

I think there’s a setting in the Cloud Firewall that’s reacting to the repeated submission of the same request (identical URL and HTTP method) from the same sender. I think it’s delaying the packets by something like 60 seconds.

Testing process

To verify this, I conducted this test:

  • Add DO firewall
  • Test embedded app speed, verify slow.
  • Remove DO firewall
  • Test embedded app speed, verify fast.

I repeated this 5 fives in order to come to my conclusion. It supports but does not prove my assertion.

Question

  1. Can anyone with inside knowledge (hello DO!) verify this how the Cloud Firewall is configured?
  2. Can anyone advise on any configuration changes I can make, short of removing the Cloud Firewall altogether, to stop it slowing down these false-positives please?

Similar questions

I’ve looked at this question, but it seems to be unrelated:
https://www.digitalocean.com/community/questions/cloud-firewall-too-slow

2 comments
  • Hi there @alexstanhope,

    I’ve reported this internally so that it can be looked into and will keep you updated as I get more information.

    Hope that helps!
    - Matt.

  • Hi Matt, I’ve been pretty patient on this one, but I now need a reaponse as I have to migrate my production estate to use DigitalOcean Firewalls. I’m fairly certain that the natural Oauth handshaking for the eCommerce platform that I’m using is causing the DO firewall to block legitimate requests. I need my firewalls to stop blocking this or I have to find another platform, which after months of effort (and years with DO) I’m disinclined to do. I’d appreciate a quick reponse. Cheers, Alex

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hey @alexstanhope,

Sorry for the incredibly long delay here! :/

Our network team have just replied on our internal ticket and aren’t really sure what’s going on with the details you’ve given.

They’re asking if you could please create a ticket with our support team so that they can request specific logs from you etc.

https://www.digitalocean.com/support/

Hope that helps,
- Matt.

Submit an Answer