Web Application Firewall (WAF) Update Log
Arc provides a standardized WAF configuration for OWASP and reputation (score per IP address) for all sites which is continuously adjusted depending on public conditions.
This page is a running log of changes that are occurring within client sites. Monitor this page to keep up to date with changes which may impact your sites.
Why do we make changes
Changes are usually driven in response to alerting on customer sites. High levels of malicious activity, errors triggered on client sites, or high levels of traffic can all trigger alerts which may result in a configuration change depending on the analysis of the alert. Changes can also be triggered by non-technical events such as notifications from 3rd parties about activity targeting Arc clients or discovery made by Arc staff. Once Arc investigates the alert we may chose to take action to mitigate the traffic. Logging every action would add unneeded volume to this log so the following guidelines are used when noting changes:
- New OWASP changes are updated automatically and are not recorded in this log, but changes to OWASP policies which are due to alerts are if they are global.
- IP Reputation scores are determined heuristically and change quickly over time and the score for individual IPâs are not recorded in this log.
- Changes to IP reputation score thresholds for mitigation will be posted
- Changes to the OWASP policy enforcement (SQL injection, CMDi, XSS, etc) will be posted. Currently ALL OWASP categories are denied on requests managed by Arc.
- Changes which are implemented to block overtly malicious activity against a single client may not be logged if there is little risk of the change impacting legitimate activity on other clients.
Change Log
| Date | Change | Impact |
|---|---|---|
| N/A | Requests sourcing from some VULTR owned IP blocks are being blocked due to activity across multiple customers. | Requests connecting from 198.13.54.0/24 will be denied |
| N/A | Arc identified Ad scraping site using Arc as source for content is blocked | Requests connecting from 51.15.250.49 will be denied |
| 10/1/20 | Arc has whitelisted parse.ly requests from its reputation score. The crowdsourced score for parse.ly was triggering sporadic denies which is not reflected in their activity to Arc clients. The whitelist is subject to the public IP space parse.ly provided at the time of the event, changes by parse.ly going forward may not be accounted for. | Customers using parse.ly should see normal service unless there are operational changes by parse.ly |
| 10/9/20 | Arc is currently tracking a series of ad fraud sites impacting multiple customers and has implemented a blocked based on fingerprinting of the source hosts. | Client requests matching the fingerprint will be served an âinvalid siteâ message. |
| 11/19/20 | Arc has changed handling of the x-fb-session-id header due to false positive triggers | Requests with header patterns that were falsely triggering attack rules will now succeed. |
| 8/13/2021 | Rate limits have been added for the ânewspaper/0/2/8andBLP_bbot/0.1` User Agents due to sustained abusive scraping activity | |
| 11/28/2022 | Access by Qualys has been blocked due to unauthorized usage of their infrastructure to perform abusive security scans | Clients using Qualys security scans will receive 403 responses. |
| 1/4/2023 | Access from a fingerprint based out of Hetzner Online has be blocked | Clients matching the fingerprint will receive 403 responses. |
| 10/12/2023 | Access by the bytespider user agents has been blocked due to excessive bandwidth and resource usage | Requests from the 2 primary bytespider user agents will receive 403 responses. |
| 9/9/2024 | Access by some python-requests UAâs based from specific fingerprints was restricted due to excessive site scraping | Requests will receive a 403 response. |