How does a WAF help to protect against DDoS attacks?

Is a WAF the best defense against a DDos attack? What are the most effective ways of protecting a business against DDoS attacks? 

44 Answers

author avatar
Top 5Real User

Although WAF and DDoS have their own individual strengths and capabilities, they actually compliment each other. The best defense against a DDoS attack is to have a comprehensive attack mitigation solution which Radware is offering. They have an on-prem and a cloud base solution both on the WAF and DDoS. Radware also has a defense messaging features which updates traffic baseline and attack footprints to the Radware cloud scrubbing center. In case of a volumetric attack and traffic is saturated traffic will then be redirected to the Radware cloud scrubbing center and will start the mitigation. Radware provides complete hybrid DDoS protection either on-prem or on the cloud.

author avatar
Top 5LeaderboardReseller

On-premise based WAF solutions are best fit to protect against a high number of connections targeting your Web Application, but their protection scope is limited to the available internet Pipe Bandwidth. so in case you get a Volumetric DDOS attack, the Pipe will be filled before reaching the WAF, or the attack could be simply on another protocol/port that is not reaching the WAF At all (Ex: UDP Flood, SSH DDoS...).

So in summary, on-premise WAF Solutions can only protect against connection based DDOS attacked targeting the protected application, which is not a good enough protection approach against DDOS attacks.

If you have a cloud-based solution WAF, you usually get an add-on feature for DDOS Protection. In this scenario, you will be protected against all kind of DDOS attacks targeting your Web app Domain Name, as all request will hit first the cloud, and you will only receive the clean traffic from the cloud ==> It is highly advisable to configure your edge firewall/router to only allow Source IP coming from the Cloud WAF/DDOS provider, as an attacker might identify the actual Real IP in your enterprise and they can launch a DDOS attack directly on the IP Address instead of the domain name, bypassing the cloud DDOS security.

The Best scenario to protect your self against DDOS attacks, All Protocols, and all types, is to have always-on DDOS protection with a cloud DDOS Solution provider, where all your internet traffic inbound/outbound would be inspected by the cloud DDOS service, and the only inbound Cleaned traffic will be forwarded from the cloud service to your enterprise through a secure tunnel.

author avatar
Top 5LeaderboardReal User

As I know Radware Defense Pro is one of the best DDoS attack protection and mitigation device. It having 360° Visibility and Reporting capacity. It takes minimal time to mitigate DDoS attack. It mitigate DDoS attacks in Real Time with Always-On DDoS Protection. Also having Hybrid Cloud DDoS Protection Service for volumetric attack protection and mitigation.

author avatar
Top 20Real User

Most of the WAF working in proxy mode and it very well sees the TCP connections and blocks DDOS. Most of the DDOS vendors are also having WAF technology, so they bundle WAF & DDOS. But for effective DDOS the solution should be stateless and it should be dedicated, because when the attack is volumetric, the sate table will be overflowed.

Find out what your peers are saying about F5, Amazon, Fortinet and others in Web Application Firewall (WAF). Updated: October 2020.
442,845 professionals have used our research since 2012.