Support

Support for business applications

Kaspersky DDoS Protection

Connecting to Kaspersky DDoS Protection

Installing a Sensor at the Customer's site

Using the Sensor to protect encrypted traffic

Kaspersky DDoS Protection
Online Help
FAQ Download Forum Contact support Recovery tools Product videos

Using the Sensor to protect encrypted traffic

April 17, 2024

ID 203036

The solution involves sending a copy of SPAN traffic and web server logs to the KDP Sensor in real time.

nossl

HTTPS traffic protection mechanism without transmitting a secret key

Use of a Kaspersky DDoS Protection Sensor lets you "clean" a Customer's encrypted traffic at the unencrypted level. This ensures the maximum possible quality of filtering without transmitting a SSL certificate outside of the Customer's infrastructure. To receive all the necessary information about encrypted traffic, the Customer's WEB servers send a log of requests in UDP Syslog format to the Sensor in real time.

A log entry string must contain the following fields:

  • server_addr:server_port– IP address of the server receiving the request (IP address of the Protected resource);
  • remote_addr:remote_port – IP address of the Customer that established the connection with the Protected resource;
  • remote_port – port of the Customer;
  • time_local – time of the request;
  • scheme – application-layer protocol (HTTP or HTTPS);
  • request;
  • status – server response code;
  • http_host – value of the Host header in the HTTP request;
  • http_referer – value of the Referer header in the HTTP request;
  • http_user_agent – value of the User-Agent header in the HTTP request;
  • http_accept – value of the Accept header in the HTTP request.

It is extremely preferable for a log entry string to contain the following fields:

  • ssl_session_id – ID of the SSL session;
  • ssl_session_reused – 1, if the SSL session is used again;

The fields must be separated by two hash characters “##”. The line must start with the double delimiter "####", and (preferably) end with the ## delimiter as well.

An example of a correct log:

####10.1.10.113:443##111.11.111.11:3000##02/Jun/2022:16:36:29 +0300##https##GET /api/v1/news?_sort=beginShowDate-&_sort=dateTime- HTTP/1.1##304##online.site.ru##http://localhost/##Mozilla/5.0 (Linux; Android 12; RMX3363 Build/RKQ1.210503.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/101.0.4951.61 Mobile Safari/537.36##

In addition, a document with examples of configuration for various web servers can be provided on request to a Customer.

Use of this mechanism does not require transmission of a certificate or decrypted copy of encrypted traffic to the Kaspersky DDoS Protection Sensor. This ensures full compliance with the requirements of various regulators.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.