Hand out a Yellow or Red Card According to Your Rules of the Game

Radware is excited to announce a new security capability — it’s a new and improved way to detect a malicious source that is continually attacking your application.

Previously, our protections were activated based on different violations we could detect and mitigate. By introducing Source Blocking, we now protect customers’ applications better than ever. For instance, you may want to issue a yellow card for a source violation. Based on how you’ve configured Source Blocking, you can issue them another yellow card for another violation. And like in soccer, two yellow cards mean the violator gets a red card. Once a red card is issued, they’re kicked out of the game for the amount of time you get to determine. Again, it’s your game; you get to set the rules!

It is not a complex game and here’s how to set the rules.

In Soccer, a Yellow Card is Issued When a Player has Displayed a Prohibited Behavior

In Radware’s Cloud WAF solution, your application is protected from a virus violation, including other infractions like remote file inclusions, SQL injections, security misconfiguration, sensitive data exposure, broken access control, cross-site scripting XSS, and more.

Each application maintains different protection configurations based on the type of request. They can be Blocked, Reported or Allowed. For example, you can configure a security rule that blocks access from certain countries. Each time a user from that country tries to access your service, a blocked security event is generated.

While a particular blocked security event may be harmless, it is important to track the source that generated the blocked security event. Anomalous spikes of too many security events in a short period of time can indicate an attack. To find these anomalies and distinguish between a normal number of security events and those that pose a threat requires a good strategy.

Remember, if a Player Receives 2 Yellow Cards, They’re Shown a Red Card

Before Source Blocking entered the picture, we didn’t have a strategy that addressed every attack attempt. For instance, each attack attempt generated a separate security event.

Here’s the beauty of Source Blocking in Radware’s Cloud WAF solution — blocked security events are tracked across all applications within your account. Then we aggregate the penalties according to the protection sets. Each protection receives a score that is based on the level of risk violation. For each blocked security event, a score is added to the source penalty score. The threshold configuration you set defines whether a source has crossed the penalty threshold, defined as a sensitivity level. If it crosses the threshold, a new Source Blocking event is generated.

When a Player Receives a Red Card, They’re Out of the Game and Must Leave the Pitch Immediately

With Source Blocking, the malicious source is no longer a threat to your applications. That source will be blocked from any activity for a period of time that you configure. It can be from 10 minutes to 24 hours.

While that source is blocked, requests from the malicious source are blocked and will not pass the entire protection flow. Requests will not trigger new security events across the account’s applications. Source Blocking will reduce the overload of blocked security events.

In the following Attack Story image, the different violation types that led to the Source Blocking event are displayed — URL Access Violations, Database Violations and Vulnerabilities. The Blocking Time Period was pre-set at 10 minutes. During that time, there were 64 blocked attempts (the source IP is listed below).

What Happens if a Player Receives a Red Card by Mistake?

What about sources that are intentionally allowed to pass the penalty threshold for testing purposes? When you configure Source Blocking, you get to set a list of those that shouldn’t be blocked. If a source is on that list, a Source Blocking event will not be generated.

The Value of Having Rules in a Game

Whether it’s soccer, basketball, cricket, or any other game in the world, rules are there to keep games fair. Everybody must obey the rules; those who don’t get punished, as they should.

With Source Blocking, Radware has amped up its cybersecurity game. We protect all or some of the applications within a customer’s account. We do it with a simple set of rules. By activating Source Blocking, we better protect customers’ applications from abuse by malicious sources. In short, it reduces false negatives and aggregates all security events into one attack story. This provides a better customer experience (CX) and prevents traffic overload. It blocks malicious sources faster and more accurately.

We Can Always Add More Rules…

The rules certainly don’t end here. We are constantly examining and refining our security policies, so keep an eye out for future updates about how we are making Source Blocking even more efficient and accurate. That way, you’ll be able to show the red card more effectively.

If you’d like to speak with one of our cybersecurity professionals, you can reach them HERE. They would love to hear from you.

To learn why Radware was named a leader in DDoS mitigation by SPARK Matrix, you can read the complete analyst report HERE.

Rotem Elharar

Rotem Elharar is an engineer and product manager in Radware’s Cloud Security practice. She is a 12-year veteran of the technology sector and has focused on cybersecurity since joining Radware over 4 years ago. While helping ensure customers’ cloud applications are optimally protected, Rotem is always laser-focused on the overall customer experience (CX). She earned a bachelor of engineering degree at Ben-Gurion University of the Negev in Beersheba, Israel.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center