Why WAF & DDoS – A Perfect Prearranged Marriage
David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
In previous blogs I have written about DDoS attacks and the inadequacies of using ISP and cloud-based DDoS attack scrubbing by themselves. However, in this blog I am going to speak to why WAF and DDoS filtering make a great pair, focusing on the difference between and the benefits of combining the web application firewall (WAF) and DDoS filtering.
When discussing DDoS defenses, we must note that there are both on and off-premises filtering solutions. Off-premises approaches are either ISP or cloud-based where the majority of the filtering takes place away from the target’s network and are generally better at bulk filtering associated with volumetric attacks. On-premises solutions have an appliance that sits near the targets network’s edge, filtering DDoS traffic. These solutions are generally better at filtering encryption, protocol, and web application-based attacks.
On-premises DDoS solutions have come a long way in the past few years. Huge breakthroughs have been made in their ability to support identification and filtering of web application DDoS attacks which attempt to either exploit specific functions/features within a web-facing web application in order to render those functions/features inoperable or to research, identify, and exploit a broader set of vulnerabilities with an organization’s network architecture. The former can manifest itself as anything from disrupting transactions and/or stopping access to the backend databases to stopping search functionality, disrupting browser access or stopping other services within a web application, such as email notifications. The latter can manifest itself in multiple ways, but is often a two phased attack where the first phase renders an web application dysfunctional and the second phase then exploits another web application and exfiltrates its data. Ultimately, success in mitigating web application DDoS attacks requires correctly segregating and filtering incoming human traffic (real) from simulated traffic generated by bots and hijacked browsers.
WAF technology works a little differently. While WAFs can analyze HTTP requests, they also protect more of the application stack. WAFs seek to identify how an application works beyond the communications layer. They analyze the types of requests and inputs for those request presented to the underlying application to discern how “normal” requests and inputs should be constructed and delivered to the application. The underlying technology can be used for any commercial, off-the-shelf (COTS) or custom applications, but must either learn about or be tuned for the function of each specific application in the environment it protects. Since the WAF looks for attacks leveraged against the underlying application functionality, it can detect not only common attacks such as SQL injection (SQLi) and cross-site scripting (XSS or CSS), but can also detect other modified or custom constructed queries and inputs targeted at an application attempting to trick, defraud, or compromise an application in some way–each of which are outside the purview of a DDoS attack mitigation solution. In addition to identifying untrustworthy application interactions, newer WAF technologies can also create user fingerprints by the way users behave in the interactions with the application. Both malicious and nonmalicious application users tend to behave in a consistent manner when using an application so users can be identified by the way they move through the application and what parts they interact with. The way the user interacts with the application is not affected by changing the users’ domain affiliation and/or IP address and thus does not affect the fingerprint, so the WAF solution can still detect that user as previously being a good or bad client.
Both WAF and on-premises DDoS mitigation solutions may use device fingerprinting to identify both “good” and “bad” users. Good users are identified by consistent behaviors that are interacting with the application within normal parameters while bad users would be the opposite. To create the device fingerprint, the WAF or DDoS solution interrogates the client gathering many different information points about the device in order to uniquely identify that device. New devices are monitored while interacting with the application, then classified as good or bad and added to a database for future reference should they attempt to communicate again in the future. Device fingerprinting is also domain and IP independent so users can be identified no matter where they come from.
While both technologies work using variations of pattern matching (signatures) to capture simple attacks, the solutions that apply behavioral analysis to filter out the more sophisticated attacks are able to capture more advanced client and application interactions and thus provide a highly complementary and more effective solution set. Each can operate within its own domain without the other, but companies using either solution alone are more likely to experience successful attacks leading to service degradation and outages. Combining the two technologies creates a situation where the sum of the parts is greater than each individually thus making the investment in both technologies.