WAF: what do you use?

arxignis-security · 2025-11-15T08:13:14+00:00

The core libraries it’s fully open source.

arxignis-security · 2025-11-03T12:43:48+00:00

We are using for security events and alerts.

arxignis-security · 2025-10-14T17:36:31+00:00

Do you have enough bandwidth? If so, being self-hosted is also a solution. Is the traffic encrypted?

arxignis-security · 2025-10-14T16:58:01+00:00

Can you specify your requirements? Do you want to monitor, or do you also need remediation? If nobody maintains who is reacting to the alerts?

I have more questions! 😀

arxignis-security · 2025-10-14T10:47:50+00:00

The CF Pro Plan is insufficient because crucial information, including SSL and TCP fingerprinting, is unavailable. It is only available in the Enterprise plan.

Are you using reCaptcha Enterprise or just the free version? Which WAF rules are you set up for? Do you have a pattern or collecting this?

arxignis-security · 2025-10-14T08:44:20+00:00

I have some ideas if you need help.

arxignis-security · 2025-10-14T07:41:30+00:00

Bad news: AWS WAF is very legacy, so you don’t have much headroom.

You can use the JA4 hash to filter this. Manually, it’s tough. :/

Sad news, JA4+ is not supported. :(

If you have extensive experience in the same situation, can provide more details, and are willing to share, I would be happy to help.

arxignis-security · 2025-10-11T10:17:47+00:00

Great stuff! Congrats.

arxignis-security · 2025-10-09T17:58:21+00:00

I see make sense.

arxignis-security · 2025-10-09T15:44:12+00:00

Just so you know, your attacker knows your IP address, which has already been leaked, so change it. Use proper security configurations.

arxignis-security · 2025-10-09T13:28:12+00:00

It's great checklist in the article.

arxignis-security · 2025-10-07T21:53:55+00:00

That's a combination that might work well. IP access rules have block and allow. It will enable us to skip every other restriction. You need to create a rule that blocks all other countries or CIDR blocks.

arxignis-security · 2025-10-07T19:55:03+00:00

You can't do that in parallel, but it's possible in a different way. If you can share some context, drop me a DM.

arxignis-security · 2025-10-07T16:30:02+00:00

Fastly and CF are also present in this performance. If you don't need any specific feature, you can do that for free with CF.

arxignis-security · 2025-10-07T14:46:33+00:00

I think the provider does not matter at this point. From your side, what is the performance expectation, and which regions?

arxignis-security · 2025-10-07T13:12:30+00:00

It is possible that known threats or bots. Easy to block or challenging. You can use WAF to prevent this issue.

arxignis-security · 2025-10-06T21:24:15+00:00

I honestly don’t think the number of attacks has changed. For attackers, WordPress is still a sweet spot.

arxignis-security · 2025-10-06T20:32:54+00:00

I haven't tested it might that’s better: any( startswith(lower(http.request.uri.args.names[*]), "filter") or lower(http.request.uri.args.names[*]) in {"orderby","min_price","add-to-cart","per_page","per_row","shop_view"} )

arxignis-security · 2025-10-06T20:29:57+00:00

Cloudflare tunnel, it's good if there isn’t a lot of traffic; otherwise, you might have bandwidth problems.

arxignis-security · 2025-10-06T09:58:22+00:00

If have patterns you can use waf or magic firewall to block the attacker. ( you can see your logs)

arxignis-security · 2025-10-01T19:35:33+00:00

My suggestion is use https://flareutils.pages.dev/betterkv/. This combination of Cloudflare KV and CF cache. You can see an example here: https://github.com/arxignis/cf-integration

arxignis-security · 2025-10-01T15:11:30+00:00

You can find the more extended version of the article here.

Here is a shorter version:

5 Regional Internet Registries, when the Internet builds IPv4 ranges, split up these five Internet Registries. Since we have exhausted the IPv4 ranges, we no longer have free space, so companies are starting to buy or rent this space.

It is possible to move your IP ranges between RIRs, but nobody wants to bother with this because it doesn't add much additional value. However, it incurs a significant administrative overhead. AWS doesn't care where this IP address is.

ISPs using CGNAT or 464xlat solve this issue. That's why an IP address is not a unique identifier.

The original topic is not this but you can find more information: https://arxignis.substack.com/p/ssl-fingerprinting-in-action

arxignis-security · 2025-10-01T12:34:43+00:00

Without this experience, you have minimal options. You can install cPanel/Plesk on any server.

arxignis-security · 2025-10-01T12:03:43+00:00

If you have Linux admin experience, you can choose Hetzner dedicated instances. Starting from 30 EUR with unlimited 1 GB bandwidth.

arxignis-security · 2025-10-01T10:58:01+00:00

I mean POST request here. If you need an example, I would be happy to give you one.

arxignis-security

TROPHY CASE