WAF isn't for DDOS attacks... frankly if a DDOS is enough to stuff your pipe there's nothing your gateway is going to be able to do. however for smaller attack under network security--intrusion protection--Anti-DoS/Flooding is where you can activate Astaro's built in tools for attacks that don't stuff your pipe.
There are only specific things you can if you do get DDOS attack and it all comes down to the amount of money you are willing to pay to mitigate this risk [:D]
@azwanarif
perhaps it would be useful to indicate what type of DDoS you want to block with the Astaro WAF ?
The WAF is for application DoS and DDoS; in fact it is your only hope for such attacks.
IDS/IPS is mostly for network layer DoS and DDoS.
There are various types of application layer attacks that can result in DoS; even a banal SQLi + shutdown is an app DoS. [:)]
The key aspect that differentiates the "Distributed" in case of app DDoS is that these attacks don't necessarily intend to exhaust the bandwidth. With a couple of laptops and without hundreds of mbps one can take down a big web site using expensive hardware/fat pipe/etc. The distributed part means that the attacks are launched from many random locations so there isn't a couple of IPs to block once you figure it what happens.
Consider the Slowloris, Slowpost or Slowread attacks; the WAF actively and dynamically "throttles" down the attacks and blacklists the offenders. This is possible since it's a full blown proxy.
if I recall correctly, in the CIA site DoS case, Slowloris was speculated to be the culprit and for example, Snort had only a signature to only detect the original tool itself which was kinda useless.
WAF is for XSS and sql injections. While i have not subjected WAF to a slow attack so i'm not sure it would protect against that type of attack. Since it is based on Apache and there are known vulnerabilities there it may not protect against that at all. Once i get my church's WAF setup i'll have to attack it with the slow Dos attack tools and see..[:)]
Perhaps you mean in the current way Astaro implemented the WAF ?(as a WAF can do a lot, I mean a lot more)
Depends, in some cases Astaro's WAF may not even address those and in others can do better than that.
The important point is that the underlying components are currently underused and it's a lot of potential underneath(e.g. mod_security).
that's what these forums are for..astaro's way at the moment...[[:)]] There is a feature request for extended capabilities. WAF for Astaro is still quite new and it will be improved upon..[[:)]]
