Poespas Blog

Stopping Evil Doers: Using ExtraHop to Remove Malicious Traffic from Reverse Proxy Layers

Introduction

As a sysadmin or developer, you’re likely no stranger to the importance of protecting your web applications from malicious traffic. One key aspect of this is using reverse proxy layers to filter out bad requests and maintain your site’s security. However, even with these measures in place, there can still be instances where malicious traffic slips through.
This is where ExtraHop comes into play - a powerful tool designed for network monitoring and analysis that can help you not only detect but also remove malicious traffic from reverse proxy layers. In this article, we’ll explore how to utilize ExtraHop for this purpose, focusing on practical steps and examples to get you started.

What is ExtraHop?

Before diving in, it’s worth a brief overview of what ExtraHop does. It’s a network monitoring platform that captures and analyzes traffic flowing across your network, providing insights into performance issues, security threats, and more. This makes it an ideal tool for identifying malicious activity - whether that’s from known bad actors or unknown sources.

Setting Up ExtraHop

To use ExtraHop for detecting and removing malicious traffic from reverse proxy layers, you’ll first need to set up the platform. Here are the basic steps:

1. Install the Collector: This is the core component of ExtraHop that will be collecting data on your network traffic. You can install it on a physical or virtual machine.
2. Configure the Interface: Once installed, configure the interface settings according to your network requirements. This includes specifying the IP address and port numbers for where you want ExtraHop to listen for traffic.
3. Integrate with Your Reverse Proxy Layer: Ensure that your reverse proxy layer is sending logs to ExtraHop. This is usually done through a logging configuration within your proxy setup.

Using ExtraHop for Malicious Traffic Detection

With the basics of setting up ExtraHop covered, let’s dive into how you can use it to detect malicious traffic from your reverse proxy layers:

1. Configure ExtraHop for Reverse Proxy Layer Monitoring: You’ll need to set up ExtraHop to monitor traffic flowing through your reverse proxy layer. This involves configuring the appropriate interfaces and ensuring that logs are being sent to ExtraHop.
2. Use Custom Queries for Detection: Use the powerful query capabilities of ExtraHop to filter out traffic based on specific criteria. For example, you might want to look at requests with specific URLs or patterns that could indicate malicious activity.
3. Act on Detection Results: Once you’ve detected potential malicious traffic using ExtraHop, take immediate action. This can include blocking IP addresses, adjusting firewall rules, or notifying your security team for further analysis and response.

Conclusion

Using ExtraHop to detect and remove malicious traffic from reverse proxy layers is a proactive step towards maintaining the security of your web application. From setting up the platform to using its powerful features for detection and acting on those results, this process is designed to ensure that any potential threats are identified and addressed quickly.