In the Signal Science side, I can create custom corp & site signals. I see that there are some “templated rules”. I’d like to trigger some of these templated rules… like “Credit Card Failure”, but wonder if this only benefits me or goes on to support the Fastly community.
For example, we detect a lot of abuse on our servers that the Fastly WAF isn’t preventing. What is required to be returned for abuse to trickle up above our level and assist in blocking this abuse on other Fastly sites?
I’m currently seeing some card stuffing occurring where the IPs, user agents and amounts are all different for each attempt. Rather than just adding to a list and blocking via the WAF, what are the options? I can return an HTTP response header to flag this and update the Templated Rule to identify it, but does it serve any purpose beyond being visible in our corp?
NOTE: I tried modifying the exsiting template rule for “Credit Card Failure”, but it has a prerequisite rule that needs to be met first. (It requires “Credit Card Attempt”.) Should I update both to check for the same header and partial values? (ie, response contains “cc” for attempt, and equals “cc-fail” for failure?
We report abuse to AbuseIPDB.com. Is there anything we can do to additionally report request-related abuse to Fastly to benefit the Fastly community?
but wonder if this only benefits me or goes on to support the Fastly community.
At the moment, these requests would only be tagged and benefit your site. We do have the Network Learning Exchange (NLX), which shares threat data amongst other customers but it is only for attack signals and not anomaly signals like Credit Card Failure.
but wonder if this only benefits me or goes on to support the Fastly community.
Currently, there isn’t an option to share threat intelligence with other customers outside of the NLX. That said, I agree this would be a valuable feature, and I’ve submitted an internal feature request for consideration.
NOTE: I tried modifying the exsiting template rule for “Credit Card Failure”, but it has a prerequisite rule that needs to be met first. (It requires “Credit Card Attempt”.) Should I update both to check for the same header and partial values? (ie, response contains “cc” for attempt, and equals “cc-fail” for failure?
Yep, you will need to have the “Credit Card Attempt” rule configured and matching. I am not familiar with your specific application but generally, I see customers doing a simple match for the attempt (e.g., Method equals “POST” and Path equals “/cc-endpoint”).
Let me know if you need any further help with this!
Ugh… I can’t create a “Credit Card Attempt” template rule based on HTTP response headers. If I try, I get an error that states:
Validation failed - this rule must not depend on response data
I’ve got too many routes & paths on our site configuration to be able to identify static values that work everywhere. I would love to base templated signals off an HTTP response header as that is something I can consistently control and not have the “CC Attempt” be required as a prerequisite for “CC Failure”. Is this possible?