Exact response of DigitalOcean Firewall to repeated identical requests

August 26, 2019 216 views
DigitalOcean DigitalOcean Cloud Firewalls Firewall

Problem

I have a web server with its own iptables firewall. I’ve recently added a DigitalOcean Cloud Firewall as an additional layer of protection, particularly for SSH which is now only accessible via a bastion.

Cloud Firewall config

Inbound

<redacted non-standard SSH port> bastion-only
80, all IPs, TCP
443, all IPs, TCP

Outbound

<redacted, hopefully not relevant>

Background

I host an app which is embedded in a major eCommerce platform. That embedding process means that customers, when logging into their stores on that platform, may submit to me an expired access token. I reallocate the token, respond and they resubmit. Because it’s iframed and brokered by the eCommerce platform, this can legitimately happen several times in a row (4 legit requests) that eventually culminate in a successful login.

Hypothesis

I think there’s a setting in the Cloud Firewall that’s reacting to the repeated submission of the same request (identical URL and HTTP method) from the same sender. I think it’s delaying the packets by something like 60 seconds.

Testing process

To verify this, I conducted this test:

  • Add DO firewall
  • Test embedded app speed, verify slow.
  • Remove DO firewall
  • Test embedded app speed, verify fast.

I repeated this 5 fives in order to come to my conclusion. It supports but does not prove my assertion.

Question

  1. Can anyone with inside knowledge (hello DO!) verify this how the Cloud Firewall is configured?
  2. Can anyone advise on any configuration changes I can make, short of removing the Cloud Firewall altogether, to stop it slowing down these false-positives please?

Similar questions

I’ve looked at this question, but it seems to be unrelated:
https://www.digitalocean.com/community/questions/cloud-firewall-too-slow

1 comment
  • Hi there @alexstanhope,

    I’ve reported this internally so that it can be looked into and will keep you updated as I get more information.

    Hope that helps!
    - Matt.

Be the first one to answer this question.