Table of Contents
WAF and DDoS filtering make a great pair and there are clear benefits to combining the web application firewall (WAF) and DDoS filtering.
There are both on and off-premises filtering solutions. Off-premises approaches are either ISP or cloud-based where
the majority of the filtering takes place away from the target’s network and are generally better at bulk filtering
associated with volumetric attacks. On-premises solutions have an appliance that sits near the targets network’s
edge, filtering DDoS traffic. These solutions are generally better at filtering encryption, protocol, and web
application-based attacks.
On-premises DDoS protection solutions have come a long way in the past few years. Huge breakthroughs have been made
in their ability to support identification and filtering of web application DDoS attacks which attempt to either
exploit specific functions/features within a web-facing web application in order to render those functions/features
inoperable or to research, identify, and exploit a broader set of vulnerabilities with an organization’s network
architecture. The former can manifest itself as anything from disrupting transactions and/or stopping access to the
backend databases to stopping search functionality, disrupting browser access or stopping other services within a
web application, such as email notifications. The latter can manifest itself in multiple ways, but is often a two
phased attack where the first phase renders an web application dysfunctional and the second phase then exploits
another web application and exfiltrates its data. Ultimately, success in mitigating web application DDoS attacks
requires correctly segregating and filtering incoming human traffic (real) from simulated traffic generated by bots
and hijacked browsers.
WAF technology works a little differently. While WAFs can analyze HTTP requests, they also protect more of the
application stack. WAFs seek to identify how an application works beyond the communications layer. They analyze the
types of requests and inputs for those request presented to the underlying application to discern how “normal”
requests and inputs should be constructed and delivered to the application. The underlying technology can be used
for any commercial, off-the-shelf (COTS) or custom applications, but must either learn about or be tuned for the
function of each specific application in the environment it protects.
Since the WAF looks for attacks leveraged against the underlying application functionality, it can detect not only
common attacks such as SQL injection (SQLi) and cross-site scripting (XSS or
CSS), but can also detect other
modified or custom constructed queries and inputs targeted at an application attempting to trick, defraud, or
compromise an application in some way–each of which are outside the purview of a DDoS attack mitigation solution. In
addition to identifying untrustworthy application interactions, newer WAF technologies can also create user
fingerprints by the way users behave in the interactions with the application. Both malicious and nonmalicious
application users tend to behave in a consistent manner when using an application so users can be identified by the
way they move through the application and what parts they interact with. The way the user interacts with the
application is not affected by changing the users’ domain affiliation and/or IP address and thus does not affect the
fingerprint, so the WAF solution can still detect that user as previously being a good or bad client.
Both WAF and on-premises DDoS mitigation solutions may use device fingerprinting to identify both “good” and “bad”
users. Good users are identified by consistent behaviors that are interacting with the application within normal
parameters while bad users would be the opposite. To create the device fingerprint, the WAF or DDoS solution
interrogates the client gathering many different information points about the device in order to uniquely identify
that device. New devices are monitored while interacting with the application, then classified as good or bad and
added to a database for future reference should they attempt to communicate again in the future. Device
fingerprinting is also domain and IP independent so users can be identified no matter where they come from.
While both technologies work using variations of pattern matching (signatures) to capture simple attacks, the
solutions that apply behavioral analysis to filter out the more sophisticated attacks are able to capture more
advanced client and application interactions and thus provide a highly complementary and more effective solution
set. Each can operate within its own domain without the other, but companies using either solution alone are more
likely to experience successful attacks leading to service degradation and outages. Combining the two technologies
creates a situation where the sum of the parts is greater than each individually thus making the investment in both
technologies.
Additional Resources