7

How to protect a web application from DDoS by the implementation of Web Application firewalls?

How effective is this method?

Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33
  • Going to need more information, Apache / Tomcat / Nginx / $commercial_appliance e.g. mod_evasive for Apache whilst not a WAF persay can be combined with mod_security to aid in DoS / DDoS mitigation (layer7) – Oneiroi Nov 10 '14 at 11:06

2 Answers2

7

You might want to clarify if you're looking for DoS or DDoS protection. See this answer for more details.

In a typical web-application architecture, the WAF stands in front of your web-application, either in your network zone (e.g. DMZ) or within an external service provider network that filters the traffic for you. In case of a DDoS attack, the WAF will be hit by the traffic load before your web-application, and it can even become a point of failure in the network flow. Keep in mind that the objective of a DDoS attack is to flood your bandwidth or resources. Configuring your WAF to reject or block incoming traffic based on rules/patterns/signature (e.g. source IP addresses, protocol etc.) might help, but it might not be able to handle the huge volume of incoming requests or connections.

In short, WAF is usually not enough to mitigate DDoS attacks. For details regarding further DDoS protection, you might want to look at this question, or this one.

Community
  • 1
ack__
  • 2,728
  • 14
  • 25
  • 1
    Good answer. The exception to this rule is WAF/anti-DDoS integrated solutions. For example, a company I work for deploys WAF from a CDN network which can process +750Gig per second. This will help against volumetric attacks (amplification and floods) and also filter malicious request to applications. – Igal Zeifman Nov 10 '14 at 13:39
  • 1
    Right, although in this case the protection doesn't come from the WAF itself, but rather from the 750Gbps+ pipe provided by the CDN. – ack__ Nov 10 '14 at 16:15
  • @ack__ Nice answer. I hope this is the one I am looking for! – Anonymous Platypus Nov 11 '14 at 05:23
  • @Igal Zeifman I have a small doubt regarding that. If 750 Gbps of data is allowed to pass over the firewall the is there possibility that the web application might fail, provided it cannot resist such large amount of load? Then what is the point of producing such WAFs? – Anonymous Platypus Nov 11 '14 at 05:26
  • 1
    @AnonymousPlatypus: Indeed, the web-app could become the point of failure if the WAF let the trafic go through. Keep in mind that WAF is mainly about content control, not volume control. – ack__ Nov 11 '14 at 13:22
  • 1
    @AnonymousPlatypus 750Gbps is how much inbound traffic we can process, not the amount we forward to firewall or to origin. For example, say we have a 100Gbps SYN flood + 100 RPS SQLis to the same site. Flood is filtered 1st and the rest is forwarded to WAF, where the SQLI requests are filtered out. That way WAF is never a SPOF. – Igal Zeifman Nov 12 '14 at 13:15
-4

There are various solution in the market which can be used to protect from DDoS attack and depends on the device means what are methods used by the device to protect from layer 7 DDoS. If you want to use products available in the market then its fine because most of the products uses same and good techniques or if you are planning to use iptables then you need to check the logs for the IP's which is used to request your application frequently. In this method you have to use some threshold value such that when the threshold value is reached then add that IP in blacklist and DROP the requests from that IP's. Some products in the market uses single packet authorization or port knocking mechanism which is itself a great idea to prevent from DoS and DDoS attacks.

ifexploit
  • 2,499
  • 1
  • 14
  • 12