Here at Stroz Friedberg, we’ve spotted a troubling new trend. During many recent incident response investigations, we’ve noticed businesses—including e-commerce vendors, payroll processing organizations, and others in the crosshairs of cyberattacks—are missing critical log data. The common cause: improper implementation of load balancers on custom applications, for example those running .NET, Apache or IIS.
This situation could spell disaster in the event of a data breach because knowing who visited what pages, and when, is vital information. Without it, this correlation becomes an arduous, if not impossible task. And this kind of information is central to tracking anomalous activity. Missing data in the incidents we’ve responded to has included public IP, user agent and other fields.
Organizations must not only ensure that load balancers are serving their custom applications, but also that logging is in sync with the webserver that’s sitting behind it.
Hosted application managers should look into these questions:
- Is your load balancer forwarding all of the necessary information to your webservers for logging purposes?
- Are the IP addresses in your web application valid and not misattributed when your load balancer reuses IPs?
- What VIPs and SNAT IPs do you have? How do underlying applications distinguish between a public IP and a VIP or SNAT IP?
Any misconfigurations should be urgently addressed. In the event of an attack, no organization can afford to struggle to answer simple questions about activity on the network—especially when this is one part of the crisis that can be 100% avoided.