Is a WAF the best defense against a DDoS attack? What are the most effective ways of protecting a business against DDoS attacks?
In order to Talk about DDoS protection, we have at First to split the DDoS attacks into TWO main Categories, and I will explain the preferred protections methods in each:
1- Volumetric DDoS attacks
Volumetric DDoS attacks are designed to overwhelm the internet pipeline capacity, and no matter what defensive solutions you have at your internet Edge (DDoS Appliance, FW, WAF, IPS..)
Your internet bandwidth will be fully used --> Continuous drop of packets
And you devices performance might reach an overcapacity --> Continues drop of packets and delay in processing packets.
The only effective Solution for Volumetric DDOS Attacks is to subscribe to a cloud DDOS protection, where you redirect all you traffic to the cloud, and you only receive Clean Traffic from the Cloud to you internet edge. This solution could be always-on (Cost more) or On-Demand (Only at the time of attack).
2- Non-Volumetric DDoS Attacks
This second type of DDoS Attacks, does not overwhelm your internet pipeline, but it's results could be equally destructive to your application availability
Examples are: SYN ATTACK, Slowloris ATTACK, HEAVY (RESOURCE-INTENSIVE) URL ATTACKS...
- Unavailability of the application,
- High CPU Utilization on your Edge Device or application Servers, causing Delay and packet Drops
All in All, Bad user-experience or no availability at all
- The First Layer of Defense, should be your Internet Edge Devices (Router, FW...) to be able to handle large number of connection per second, and to be properly configured to be the first line of defense and drop malicious packets as much as possible on L3/L4 Layer.
Ex of IP to block: Spoofed IP Addresses (Bogon prefix filtering), ports other than http(s), ....
- Second Layer of Defense, is your WAF appliance, which must be in a DMZ Zone and receiving only HTTP(s) traffic allowed by the firewall.
The WAF solution should provide multi level of protection from DDoS Attacks, such as:
- Detection Threshold PPS: When the number of packets per second goes above the threshold amount, the WAF system logs and reports the attack
- Detection Threshold Percent: The WAF solutions compares the current rate to an average rate from the last hour.For example, if the average rate for the last hour is 1000 packets per second, and you set the percentage increase threshold to 100, an attack is detected at 100 percent above the average, or 2000 packets per second. When the threshold is passed, an attack is logged and reported
- Full Reverse-Proxy mode: Totall Isolate client-side request from Server-Side, where the WAF Hardware usually have a much highter Performance (Specially for SSL Traffic), so it will be able to handle more traffic for inspection and blocking without performance degradation, and only sending legitimate traffic the application server.
- Load Balancing On top of WAF: So in case of increase of number, it could share the load among different backend servers
- Different Packet Inspections (Which are missed by the FW), such as: IP Length, FIN Only, Paylload length, ....
The best cost-effective solution would be to adopt a Hybrid model:
- Appliance on-site to handle day-to-day attacks
- On-Demand Cloud subscription to redirect traffic on Volumetric DDoS attacks.
As a recommended solution, and based on personal experience for more than 10 years, I highly recommend you to consider F5 Solutions, being a Leader in all Application Delivery solutions, and Security one of their main technologies they succeeded in.
They provide all models (On-site Physical/Virtual, and Cloud models) to protection against all layers of Attacks.
You could refer to this link for a more detailed description:
A WAF is designed to protect websites against code injections, malicious intrusions etc, basically hackers trying to infiltrate the application. Occasionally such a hack comes with DDoS.So basically a WAF has more specific functions up to layer 7 than only DDoS on layer 3 and 4. A WAF is as good as any good firewall in that case but is has additional features.
If you mean layer7 (applicative) DDoS attack (to deny the service with requests that increase the workload of the web servers), yes a WAF is the best solution (cloud or on-premise, each has advantages). If you mean network DDoS attack (layer 3 & 4), you need any cloud-based HTTP proxy, with a large bandwidth (like any big CDN provider). As all TCP connections will reach this big network, your server is protected. I only use Imperva (for both network and applicative DDoS attacks), it works very well for that, but I can't compare it with other solutions.
I hope it helps.
Although WAF and DDoS have their own individual strengths and capabilities, they actually compliment each other. The best defense against a DDoS attack is to have a comprehensive attack mitigation solution which Radware is offering. They have an on-prem and a cloud base solution both on the WAF and DDoS. Radware also has a defense messaging features which updates traffic baseline and attack footprints to the Radware cloud scrubbing center. In case of a volumetric attack and traffic is saturated traffic will then be redirected to the Radware cloud scrubbing center and will start the mitigation. Radware provides complete hybrid DDoS protection either on-prem or on the cloud.
On-premise based WAF solutions are best fit to protect against a high number of connections targeting your Web Application, but their protection scope is limited to the available internet Pipe Bandwidth. so in case you get a Volumetric DDOS attack, the Pipe will be filled before reaching the WAF, or the attack could be simply on another protocol/port that is not reaching the WAF At all (Ex: UDP Flood, SSH DDoS...).
So in summary, on-premise WAF Solutions can only protect against connection based DDOS attacked targeting the protected application, which is not a good enough protection approach against DDOS attacks.
If you have a cloud-based solution WAF, you usually get an add-on feature for DDOS Protection. In this scenario, you will be protected against all kind of DDOS attacks targeting your Web app Domain Name, as all request will hit first the cloud, and you will only receive the clean traffic from the cloud ==> It is highly advisable to configure your edge firewall/router to only allow Source IP coming from the Cloud WAF/DDOS provider, as an attacker might identify the actual Real IP in your enterprise and they can launch a DDOS attack directly on the IP Address instead of the domain name, bypassing the cloud DDOS security.
The Best scenario to protect your self against DDOS attacks, All Protocols, and all types, is to have always-on DDOS protection with a cloud DDOS Solution provider, where all your internet traffic inbound/outbound would be inspected by the cloud DDOS service, and the only inbound Cleaned traffic will be forwarded from the cloud service to your enterprise through a secure tunnel.
As I know Radware Defense Pro is one of the best DDoS attack protection and mitigation device. It having 360° Visibility and Reporting capacity. It takes minimal time to mitigate DDoS attack. It mitigate DDoS attacks in Real Time with Always-On DDoS Protection. Also having Hybrid Cloud DDoS Protection Service for volumetric attack protection and mitigation.
Most of the WAF working in proxy mode and it very well sees the TCP connections and blocks DDOS. Most of the DDOS vendors are also having WAF technology, so they bundle WAF & DDOS. But for effective DDOS the solution should be stateless and it should be dedicated, because when the attack is volumetric, the sate table will be overflowed.
I'm trying to understand what limitations AWS WAF has vs other (alternative) Web Application Firewall (WAF) products.
We required a 24/7 automated vulnerability monitoring tool for securing our web applications. We are looking for options like Sitelock and Immuniweb.