Web Server Security WAF block DDOS attack

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 7 replies
Subscribers 1 subscriber
Views 7042 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF block DDOS attack

Azwan over 12 years ago

Hi Everyone,

As per title, does anyone have any detail info regarding prevent DDOS attack with WAF [:S]. Thanks

This thread was automatically locked due to age.

Parents

0 adriand over 12 years ago

@azwanarif
perhaps it would be useful to indicate what type of DDoS you want to block with the Astaro WAF ?

The WAF is for application DoS and DDoS; in fact it is your only hope for such attacks.
IDS/IPS is mostly for network layer DoS and DDoS.

There are various types of application layer attacks that can result in DoS; even a banal SQLi + shutdown is an app DoS. [:)]

The key aspect that differentiates the "Distributed" in case of app DDoS is that these attacks don't necessarily intend to exhaust the bandwidth. With a couple of laptops and without hundreds of mbps one can take down a big web site using expensive hardware/fat pipe/etc. The distributed part means that the attacks are launched from many random locations so there isn't a couple of IPs to block once you figure it what happens.

Consider the Slowloris, Slowpost or Slowread attacks; the WAF actively and dynamically "throttles" down the attacks and blacklists the offenders. This is possible since it's a full blown proxy.

if I recall correctly, in the CIA site DoS case, Slowloris was speculated to be the culprit and for example, Snort had only a signature to only detect the original tool itself which was kinda useless.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 adriand over 12 years ago

@azwanarif
perhaps it would be useful to indicate what type of DDoS you want to block with the Astaro WAF ?

The WAF is for application DoS and DDoS; in fact it is your only hope for such attacks.
IDS/IPS is mostly for network layer DoS and DDoS.

There are various types of application layer attacks that can result in DoS; even a banal SQLi + shutdown is an app DoS. [:)]

The key aspect that differentiates the "Distributed" in case of app DDoS is that these attacks don't necessarily intend to exhaust the bandwidth. With a couple of laptops and without hundreds of mbps one can take down a big web site using expensive hardware/fat pipe/etc. The distributed part means that the attacks are launched from many random locations so there isn't a couple of IPs to block once you figure it what happens.

Consider the Slowloris, Slowpost or Slowread attacks; the WAF actively and dynamically "throttles" down the attacks and blacklists the offenders. This is possible since it's a full blown proxy.

if I recall correctly, in the CIA site DoS case, Slowloris was speculated to be the culprit and for example, Snort had only a signature to only detect the original tool itself which was kinda useless.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data