Design and Implementation of a Cloud-Based Web Application Firewall at Ctrip

Facing high costs and inflexibility of hardware WAFs and limitations of commercial cloud WAFs, Ctrip's security team needed a low‑cost, low‑risk method to protect web services against threats such as malicious IPs, SQL injection, XSS, and zero‑day vulnerabilities.

The chosen solution is a cloud‑based Web Application Firewall (WAF) that is independent of backend services; deployment changes are limited to DNS redirection, providing a centralized platform without client modifications.

Key features include a centralized platform, DNS‑only integration, and shared detection information. The system follows a closed‑loop design: external and internal rule sources are dynamically loaded into a Storm‑based real‑time traffic processing framework for detection‑only testing, with offline analysis of alerts to refine rules.

Implementation uses Tengine and LuaJIT for high‑performance detection logic, exposing a RESTful API for management. Logs are streamed via Kafka, stored in Elasticsearch, and visualized in Kibana, while supervised machine‑learning models classify false‑positive logs.

Big‑data processing leverages Storm for real‑time traffic analysis and Spark Streaming with MLlib (SVM) for offline classification, enabling dynamic rule updates and automated responses such as one‑click enable/disable, bypass, and mode switching.

Future work focuses on improving efficiency, adding functionalities, and balancing performance with detection accuracy, including automation for unattended operation, auto‑whitelisting, and suspicious access identification.