Coming October 25: PeerSpot Awards will be announced! Learn more
2020-05-25T11:39:00Z
Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
  • 5
  • 3280

How does a WAF help to protect against DDoS attacks?

Is a WAF the best defense against a DDoS attack? What are the most effective ways of protecting a business against DDoS attacks? 

7
PeerSpot user
7 Answers
Georges Samaha - PeerSpot reviewer
Security Consultant at a tech services company with 501-1,000 employees
Reseller
Top 5
2021-05-01T05:48:44Z
01 May 21

Hello there


In order to Talk about DDoS protection, we have at First to split the DDoS attacks into  TWO main Categories, and I will explain the preferred protections methods in each:


1- Volumetric DDoS attacks


Description:


Volumetric DDoS attacks are designed to overwhelm the internet pipeline capacity, and no matter what defensive solutions you have at your internet Edge (DDoS Appliance, FW, WAF, IPS..) 


Attack results


Your internet bandwidth will be fully used --> Continuous drop of packets


And you devices performance might reach an overcapacity --> Continues drop of  packets and delay in processing packets.


Solution:


The only effective Solution for Volumetric DDOS Attacks is to subscribe to a cloud DDOS protection, where you redirect all you traffic to the cloud, and you only receive Clean Traffic from the Cloud to you internet edge. This solution could be always-on (Cost more) or On-Demand (Only at the time of attack).


2- Non-Volumetric DDoS Attacks


Description


This second type of DDoS Attacks, does not overwhelm your internet pipeline, but it's results could be equally destructive to your application availability


Examples are: SYN ATTACK, Slowloris ATTACK, HEAVY (RESOURCE-INTENSIVE) URL ATTACKS...


Attack results


- Unavailability of the application, 


- High CPU Utilization on your Edge Device or application Servers, causing Delay and packet Drops


All in All, Bad user-experience or no availability at all


Solution:


- The First Layer of Defense, should be your Internet Edge Devices (Router, FW...) to be able to handle large number of connection per second, and to be properly configured to be the first line of defense and drop malicious packets as much as possible on L3/L4 Layer.


Ex of IP to block: Spoofed IP Addresses (Bogon prefix filtering), ports other than http(s), ....


- Second Layer of Defense, is your WAF appliance, which must be in a DMZ Zone and receiving only HTTP(s) traffic allowed by the firewall. 


The WAF solution should provide multi level of protection from DDoS Attacks, such as:


- Detection Threshold PPS: When the number of packets per second goes above the threshold amount, the WAF system logs and reports the attack


- Detection Threshold Percent: The WAF solutions compares the current rate to an average rate from the last hour.
For example, if the average rate for the last hour is 1000 packets per second, and you set the percentage increase threshold to 100, an attack is detected at 100 percent above the average, or 2000 packets per second. When the threshold is passed, an attack is logged and reported


- Full Reverse-Proxy mode: Totall Isolate client-side request from Server-Side, where the WAF Hardware usually have a much highter Performance (Specially for SSL Traffic), so it will be able to handle more traffic for inspection and blocking without performance degradation, and only sending legitimate traffic the application server.


- Load Balancing On top of WAF: So in case of increase of number, it could share the load among different backend servers


- Different Packet Inspections (Which are missed by the FW), such as: IP Length, FIN Only, Paylload length, ....


The best cost-effective solution would be to adopt a Hybrid model:


- Appliance on-site to handle day-to-day attacks


- On-Demand Cloud subscription to redirect traffic on Volumetric DDoS attacks.


Product recommendation:


As a recommended solution, and based on personal experience for more than 10 years, I highly recommend you to consider F5 Solutions, being a Leader in all Application Delivery solutions, and Security one of their main technologies they succeeded in.


They provide all models (On-site Physical/Virtual, and Cloud models) to protection against all layers of Attacks.


You could refer to this link for a more detailed description:


https://www.f5.com/services/re...


https://www.f5.com/labs/articles/education/what-is-a-distributed-denial-of-service-attack-



Regards, 


Georges



ER
Senior Pre-sales consultant at Businesscom BV
Reseller
Top 10
2021-04-30T16:38:43Z
30 April 21

A WAF is designed to protect websites against code injections, malicious intrusions etc, basically hackers trying to infiltrate the application. Occasionally such a hack comes with DDoS.
So basically a WAF has more specific functions up to layer 7 than only DDoS on layer 3 and 4. A WAF is as good as any good firewall in that case but is has additional features.  

Etienne WEHRLE - PeerSpot reviewer
CDN & Cybersecurity Engineer - Web performance & security at CDN Tech / Ecritel
Real User
Top 5Leaderboard
2021-04-28T15:20:49Z
28 April 21

If you mean layer7 (applicative) DDoS attack (to deny the service with requests that increase the workload of the web servers), yes a WAF is the best solution (cloud or on-premise, each has advantages). If you mean network DDoS attack (layer 3 & 4), you need any cloud-based HTTP proxy, with a large bandwidth (like any big CDN provider). As all TCP connections will reach this big network, your server is protected. I only use Imperva (for both network and applicative DDoS attacks), it works very well for that, but I can't compare it with other solutions.


I hope it helps.

RaynielBadiola - PeerSpot reviewer
Technical Manager at Secur Links
Real User
Top 5Leaderboard
2020-05-27T00:56:11Z
27 May 20

Although WAF and DDoS have their own individual strengths and capabilities, they actually compliment each other. The best defense against a DDoS attack is to have a comprehensive attack mitigation solution which Radware is offering. They have an on-prem and a cloud base solution both on the WAF and DDoS. Radware also has a defense messaging features which updates traffic baseline and attack footprints to the Radware cloud scrubbing center. In case of a volumetric attack and traffic is saturated traffic will then be redirected to the Radware cloud scrubbing center and will start the mitigation. Radware provides complete hybrid DDoS protection either on-prem or on the cloud.

Georges Samaha - PeerSpot reviewer
Security Consultant at a tech services company with 501-1,000 employees
Reseller
Top 5
2020-05-26T15:18:36Z
26 May 20

On-premise based WAF solutions are best fit to protect against a high number of connections targeting your Web Application, but their protection scope is limited to the available internet Pipe Bandwidth. so in case you get a Volumetric DDOS attack, the Pipe will be filled before reaching the WAF, or the attack could be simply on another protocol/port that is not reaching the WAF At all (Ex: UDP Flood, SSH DDoS...).

So in summary, on-premise WAF Solutions can only protect against connection based DDOS attacked targeting the protected application, which is not a good enough protection approach against DDOS attacks.

If you have a cloud-based solution WAF, you usually get an add-on feature for DDOS Protection. In this scenario, you will be protected against all kind of DDOS attacks targeting your Web app Domain Name, as all request will hit first the cloud, and you will only receive the clean traffic from the cloud ==> It is highly advisable to configure your edge firewall/router to only allow Source IP coming from the Cloud WAF/DDOS provider, as an attacker might identify the actual Real IP in your enterprise and they can launch a DDOS attack directly on the IP Address instead of the domain name, bypassing the cloud DDOS security.

The Best scenario to protect your self against DDOS attacks, All Protocols, and all types, is to have always-on DDOS protection with a cloud DDOS Solution provider, where all your internet traffic inbound/outbound would be inspected by the cloud DDOS service, and the only inbound Cleaned traffic will be forwarded from the cloud service to your enterprise through a secure tunnel.

SaurabhPal - PeerSpot reviewer
Technical Specialist - Network & Security at a tech services company with 201-500 employees
Real User
Top 10
2020-05-26T11:03:31Z
26 May 20

As I know Radware Defense Pro is one of the best DDoS attack protection and mitigation device. It having 360° Visibility and Reporting capacity. It takes minimal time to mitigate DDoS attack. It mitigate DDoS attacks in Real Time with Always-On DDoS Protection. Also having Hybrid Cloud DDoS Protection Service for volumetric attack protection and mitigation.

Find out what your peers are saying about Palo Alto Networks, Fortinet, Microsoft and others in Web Application Firewall (WAF). Updated: September 2022.
635,162 professionals have used our research since 2012.
Thameem Ansari - PeerSpot reviewer
Senior solution architect at a comms service provider with 51-200 employees
Real User
Top 5Leaderboard
2020-05-26T10:28:36Z
26 May 20

Most of the WAF working in proxy mode and it very well sees the TCP connections and blocks DDOS. Most of the DDOS vendors are also having WAF technology, so they bundle WAF & DDOS. But for effective DDOS the solution should be stateless and it should be dedicated, because when the attack is volumetric, the sate table will be overflowed.

Related Questions
Eric Signe - PeerSpot reviewer
INFORMATION SECURITY ANALYST / ARCH at octosafes inc
Jul 21, 2022
Hi infosec professionals, I'd like to understand better the main highlights of WAF security. E.g., what type of security can be achieved with a WAF tool? Thank you for sharing your knowledge.
2 out of 3 answers
Eric Signe - PeerSpot reviewer
INFORMATION SECURITY ANALYST / ARCH at octosafes inc
13 February 22
-Application security  -OWASP top 10 -Protection on two aspects: detection/prevention of malicious IPs or threats -Certain WAFs protect against DoS, ...
Tom Foale - PeerSpot reviewer
CTO at Klaatu IT Security Ltd
15 February 22
A good WAF secures not just your websites and cloud applications but will protect against bots and protect containers, databases, VMs and APIs too. It will have a low rate of false positives, which is becoming critical as the volume of attacks increase. If you are a small business then a cloud-based one has a lower management overhead.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jun 28, 2022
Hello, Would you recommend using an open-source WAF for a large company? If so, which one and why? Thanks.
See 2 answers
JT
DevOps Senior Engineer at Fingerhut
01 November 21
I do NOT have a simple answer.  However, we have to start looking at the OSI Model. WAF only satisfies some but not all OSI layers.  I would list out the requirements, prior to asking this question. With the requirements in place, there are open-source packages that would satisfy most of your requirements (there is NOT one Hat that fits all). I am using NGINX as an internal WAF. In a normal mode, the internal traffic is a lot less malicious than from the public network.
Nir - PeerSpot reviewer
Head of Marketing at Reblaze
28 June 22
Hi, You can check out Curiefense.io. It is suitable for both enterprises and SMBs. 
Related Articles
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedicated to improving software security. It operates under an open community model, meaning that anyone can participate in and contribute to OWASP-related online chats and projects. The OWASP ensures that its offerings (online tools, videos, forums, events, etc.) remain free and are easily accessible t...
See 2 comments
Ben Arbeit - PeerSpot reviewer
Manager at a retailer with 51-200 employees
31 July 22
Thanks for this informative article.
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
05 August 22
OWASP is nice, but very specific and currently limited. How about trying ISO-24772 for all?
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch up on recent contributions by community members. Trending What open-source HCI solution do you recommend? How much time does SSO save? What are the main technical differences between Microsoft Power Automate and Blue Prism? Articles Top HCI in 2022 What is Web Design? The Ultima...
Related Articles
Deena Nouril - PeerSpot reviewer
Tech Blogger
Aug 05, 2022
What is OWASP Top 10 in 2022
What is OWASP? The OWASP or Open Web Application Security Project is a nonprofit foundation dedi...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Mar 18, 2022
Community Spotlight #10
Hi community members, Here we go with a new Community Spotlight. We publish it to help YOU catch...
Download Free Report
Download our free Web Application Firewall (WAF) Report and find out what your peers are saying about Palo Alto Networks, Fortinet, Microsoft, and more! Updated: September 2022.
DOWNLOAD NOW
635,162 professionals have used our research since 2012.