What is a Web application firewall (WAF)?

Web application firewall (WAF) protects web applications and APIs from different attacks like those highlighted in OWASP Top 10 (SQL injections, cross-site scripting (XSS) etc), application layer denial of service (DoS) attacks like amplification attacks or Slowloris, zero day attacks etc. It filters, analyzes and blocks contents of the HTTP / HTTPS request in the incoming traffic, against their behavior and logic. This safeguards your web assets from malicious users and helps distinguish between legitimate users and unwanted DDoS traffic.


Rate limiting

Today, most web application firewalls use rate limiting to protect against application flooding attacks. It is important to check the rate of backend requests to curb the damage from these dos attacks and reduce downtime. If you know which parts of your web application are the most susceptible to DoS attacks you can define the maximum acceptable request rate for them. If a user disregards the rate-limiting rule set by you, you can choose the response like block them for some time or redirect them to a captcha page. Therefore, it is beneficial to accompany your network layer protection with rate limiting attributes.

Blacklisting or whitelisting of web traffic

Blacklisting or whitelisting of traffic could also be a worthwhile strategy in the filtering of web traffic. They can prove beneficial when you want to block applicative level attacks by preventing malicious requests from crashing the server or making it unavailable. The most effective way to use a blacklist is to work with generic patterns, instead of creating a pattern for each vulnerability. This technique allows blocking of zero day attacks, DDoS attacks, and leads to better performance. When generic patterns cannot detect certain vulnerabilities, there should be a dedicated pattern, in order to block them. APIs, on the contrary, are meant to be handled by a positive security model. By creating an API, users know the kind of data each endpoint expects. Developers create Swagger or OpenAPI files that describe API behavior. A good whitelisting technology is able to work with these standards formats and enforce them. Both blacklisting and whitelisting methods are complementary to each other and the right WAF would be able to manage both.  

Threat intelligence and Geo blocking

To complement the above-discussed approaches, good WAFs also use threat intelligence to block matching IP addresses during an attack. Leveraging a real time threat intelligence database helps protect customers effectively against threats posed by malicious IP addresses. Once the incoming client IP is tested against the IP reputation database, it returns a reputation score along with the threat category of the client IP. Then, depending on this score, you can decide whether to blacklist the attacking IP. IP addresses used by botnets usually have a negative reputation since they have already performed other attacks. This way you can block approximately 40% of a botnet based on its bad IP reputation. Geo blocking is another fine solution. When a large part of the malicious IP addresses is coming from certain countries in the world, you can block them, thanks to this feature.

How Rohde & Schwarz Cybersecurity solutions protect you?

Anti-DDoS WAF protection

Rohde & Schwarz Cybersecurity  aspires to protect you from all types of DoS and DDoS attacks. Utilizing security engines built on 20 years of proven expertise ensures you the best level of protection while limiting false positives. This is an important aspect, for the attackers still get to be victorious, if the false positive rate is high as you end up refusing access to your genuine visitors.

R&S®Cloud Protector offers more bandwidth to absorb malicious traffic and more resources than a private network, being a SaaS WAF solution It uses underlying technologies for filtering the web traffic like geoloc, IP reputation, comparison of signatures, blacklisting and whitelisting, rate limiting etc. This way it obstructs malicious traffic without spoiling the user experience of your clients.

A SaaS WAF can provide good and quick mitigation techniques for DoS attacks, but they still need to detect the attack earlier in the architecture. After all, the sooner you realize the problems within your web application, the lesser damage you will incur. Moreover, a WAF cannot be the only security solution if you want to take a proactive approach to DDoS. A good operator strategy is imperative for defending your infrastructure. The strategies described in this article work fine after proper sanitization of the traffic by an operator-level DDoS protection layer, or when an applicative attack does not generate a lot of traffic. In addition, you always need to incorporate some best practices for a holistic anti DDoS protection.

A WAF, a quality operator and some security best practices combined are your best bet against a DDoS attack. Read more on this in our anti-DDoS protection article