David Monahan is Research Director for Enterprise Management Associates (EMA) and is a featured guest blogger.
In previous blogs I have written about DDoS attacks and the inadequacies of using ISP and cloud-based DDoS attack scrubbing by themselves. However, in this blog I am going to speak to why WAF and DDoS filtering make a great pair, focusing on the difference between and the benefits of combining the web application firewall (WAF) and DDoS filtering.
When discussing DDoS defenses, we must note that there are both on and off-premises filtering solutions. Off-premises approaches are either ISP or cloud-based where the majority of the filtering takes place away from the target’s network and are generally better at bulk filtering associated with volumetric attacks. On-premises solutions have an appliance that sits near the targets network’s edge, filtering DDoS traffic. These solutions are generally better at filtering encryption, protocol, and web application-based attacks.
On-premises DDoS protection solutions have come a long way in the past few years. Huge breakthroughs have been made in their ability to support identification and filtering of web application DDoS attacks which attempt to either exploit specific functions/features within a web-facing web application in order to render those functions/features inoperable or to research, identify, and exploit a broader set of vulnerabilities with an organization’s network architecture. The former can manifest itself as anything from disrupting transactions and/or stopping access to the backend databases to stopping search functionality, disrupting browser access or stopping other services within a web application, such as email notifications. The latter can manifest itself in multiple ways, but is often a two phased attack where the first phase renders an web application dysfunctional and the second phase then exploits another web application and exfiltrates its data. Ultimately, success in mitigating web application DDoS attacks requires correctly segregating and filtering incoming human traffic (real) from simulated traffic generated by bots and hijacked browsers.
WAF technology works a little differently. While WAFs can analyze HTTP requests, they also protect more of the application stack. WAFs seek to identify how an application works beyond the communications layer. They analyze the types of requests and inputs for those request presented to the underlying application to discern how “normal” requests and inputs should be constructed and delivered to the application. The underlying technology can be used for any commercial, off-the-shelf (COTS) or custom applications, but must either learn about or be tuned for the function of each specific application in the environment it protects. Since the WAF looks for attacks leveraged against the underlying application functionality, it can detect not only common attacks such as SQL injection (SQLi) and cross-site scripting (XSS or CSS), but can also detect other modified or custom constructed queries and inputs targeted at an application attempting to trick, defraud, or compromise an application in some way–each of which are outside the purview of a DDoS attack mitigation solution. In addition to identifying untrustworthy application interactions, newer WAF technologies can also create user fingerprints by the way users behave in the interactions with the application. Both malicious and nonmalicious application users tend to behave in a consistent manner when using an application so users can be identified by the way they move through the application and what parts they interact with. The way the user interacts with the application is not affected by changing the users’ domain affiliation and/or IP address and thus does not affect the fingerprint, so the WAF solution can still detect that user as previously being a good or bad client.
Both WAF and on-premises DDoS mitigation solutions may use device fingerprinting to identify both “good” and “bad” users. Good users are identified by consistent behaviors that are interacting with the application within normal parameters while bad users would be the opposite. To create the device fingerprint, the WAF or DDoS solution interrogates the client gathering many different information points about the device in order to uniquely identify that device. New devices are monitored while interacting with the application, then classified as good or bad and added to a database for future reference should they attempt to communicate again in the future. Device fingerprinting is also domain and IP independent so users can be identified no matter where they come from.
While both technologies work using variations of pattern matching (signatures) to capture simple attacks, the solutions that apply behavioral analysis to filter out the more sophisticated attacks are able to capture more advanced client and application interactions and thus provide a highly complementary and more effective solution set. Each can operate within its own domain without the other, but companies using either solution alone are more likely to experience successful attacks leading to service degradation and outages. Combining the two technologies creates a situation where the sum of the parts is greater than each individually thus making the investment in both technologies.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
David is a senior information security executive with over 15 years of experience. He has organized and managed both physical and information security programs, including Security and Network Operations for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse Audit and Compliance and Risk and Privacy experience – providing strategic and tactical leadership, developing, architecting and deploying assurance controls, delivering process and policy documentation and training, as well as other aspects associated with educational and technical solutions. Aside from his full-time practice in the security field, David has been an adjunct faculty member for Capitol College in Laurel, Maryland since 2007, providing security instruction on both the undergraduate and graduate level. He has also presented briefings to numerous forums including SANSFire, Forrester and the Colorado Digital Government Conference.