WAF DDoS: how to protect yourself with Cloud Protector
Web Application Firewall (WAF) Definition
Web Application Firewall (WAF) protects web applications and APIs from various attacks such as those highlighted in the OWASP Top 10 (SQL injections, cross-site scripting (XSS) etc.), application layer denial of service (DoS) attacks such as amplification or Slowloris attacks, zero day attacks etc. It filters, analyzes and blocks the content of HTTP / HTTPS requests in incoming traffic, based on their behavior and logic. This helps to protect your web resources from malicious users and distinguish legitimate users from unwanted DDoS traffic.
Request Rate Limitation
Today, most web application firewalls use rate limiting to protect against flooding attacks. It is important to check the backend request rate to limit the damage caused by these attacks and reduce downtime. If you know which parts of your web application are most susceptible to DoS attacks, you can set the maximum acceptable request rate for them. If a user does not comply with the rate limiting rule you set, you can choose a predefined response like blocking them for a certain time or redirecting them to a captcha page. Therefore, it is beneficial to add rate limiting functionality to your network layer protection.
Blacklist and whitelist (whitelist / blacklist)
Establishing a traffic blacklist or whitelist could also be an interesting strategy for filtering web traffic. They can be beneficial when you want to block application-level attacks by preventing malicious requests from ‘crashing’ the server or making it unavailable. The most effective way to use a blacklist is to work with generic templates, instead of creating a template for each vulnerability. This technique blocks zero day attacks, DDoS attacks, and leads to better performance. When generic models cannot detect certain vulnerabilities, a specific model must be created to block them.
APIs, on the other hand, are meant to be managed by a positive security model. When creating an API, users know what type of data is expected by each endpoint. Developers create Swagger or OpenAPI files that describe the API’s behavior. A good whitelisting technology is able to work with these standard formats and enforce them. Both blacklisting and whitelisting methods are complementary and a good WAF should be able to handle both.
Threat intelligence and geolocation
To complement the approaches discussed above, good WAFs also use Threat Intelligence to block matching IP addresses during an attack. Leveraging a real-time Threat Intelligence database effectively protects customers from the threats posed by malicious IP addresses. Once the incoming customer’s IP address is tested against the IP reputation database, it returns a reputation score along with the threat category of the customer’s IP address. Then, based on this score, you can decide to blacklist the attacking IP. IP addresses used by botnets usually have a negative reputation, as they have already carried out other attacks. This way you can block about 40% of a botnet based on its bad IP reputation.
Geo-blocking is another good solution. When a large portion of malicious IP addresses originate from certain countries in the world, you can block them with this feature.
Request your 14 days free
How do UBIKA’s solutions protect you?
An anti-DDoS WAF protection
UBIKA aspires to protect you against all types of DoS and DDoS attacks. Using security engines based on 20 years of proven expertise ensures you get the best level of protection while limiting false positives. This is important because attackers can still be successful if the false positive rate is high because you end up denying access to your real visitors.
Cloud Protector offers more bandwidth to absorb malicious traffic and more resources than a private network, being a SaaS WAF solution. It uses underlying technologies to filter web traffic such as geolocation, IP reputation, signature matching, blacklisting and whitelisting, rate limiting, etc. In this way, it blocks malicious traffic without spoiling the user experience of your customers.
A SaaS-based WAF can provide good and fast DoS attack mitigation techniques, but it still needs to detect the attack earlier in the architecture. After all, the sooner you realize the problems within your web application, the less damage you will suffer. Also, a WAF can’t be the only security solution if you want to take a proactive approach to DDoS. A good strategy with the operator is imperative to protect your infrastructure. The strategies described in this article really work after proper traffic sanitization by a DDoS protection layer at the carrier, or when an application attack does not generate much traffic. In addition, you should always incorporate some best practices for overall DDoS protection.
A WAF, a quality carrier and some good security practices combined are your best bet against a DDoS attack. To learn more, check out our page on DDDoS protection.