Question

Exact response of DigitalOcean Firewall to repeated identical requests

Posted August 26, 2019 424 views
DigitalOcean Firewall DigitalOcean Cloud Firewalls

Problem

I have a web server with its own iptables firewall. I’ve recently added a DigitalOcean Cloud Firewall as an additional layer of protection, particularly for SSH which is now only accessible via a bastion.

Cloud Firewall config

Inbound

<redacted non-standard SSH port> bastion-only
80, all IPs, TCP
443, all IPs, TCP

Outbound

<redacted, hopefully not relevant>

Background

I host an app which is embedded in a major eCommerce platform. That embedding process means that customers, when logging into their stores on that platform, may submit to me an expired access token. I reallocate the token, respond and they resubmit. Because it’s iframed and brokered by the eCommerce platform, this can legitimately happen several times in a row (4 legit requests) that eventually culminate in a successful login.

Hypothesis

I think there’s a setting in the Cloud Firewall that’s reacting to the repeated submission of the same request (identical URL and HTTP method) from the same sender. I think it’s delaying the packets by something like 60 seconds.

Testing process

To verify this, I conducted this test:

  • Add DO firewall
  • Test embedded app speed, verify slow.
  • Remove DO firewall
  • Test embedded app speed, verify fast.

I repeated this 5 fives in order to come to my conclusion. It supports but does not prove my assertion.

Question

  1. Can anyone with inside knowledge (hello DO!) verify this how the Cloud Firewall is configured?
  2. Can anyone advise on any configuration changes I can make, short of removing the Cloud Firewall altogether, to stop it slowing down these false-positives please?

Similar questions

I’ve looked at this question, but it seems to be unrelated:
https://www.digitalocean.com/community/questions/cloud-firewall-too-slow

2 comments
  • Hi there @alexstanhope,

    I’ve reported this internally so that it can be looked into and will keep you updated as I get more information.

    Hope that helps!
    - Matt.

  • Hi Matt, I’ve been pretty patient on this one, but I now need a reaponse as I have to migrate my production estate to use DigitalOcean Firewalls. I’m fairly certain that the natural Oauth handshaking for the eCommerce platform that I’m using is causing the DO firewall to block legitimate requests. I need my firewalls to stop blocking this or I have to find another platform, which after months of effort (and years with DO) I’m disinclined to do. I’d appreciate a quick reponse. Cheers, Alex

0 answers
Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!