Today we will discuss What is a Website Application Firewall. There are different server environments that feel disrupted due to malicious attacks of different natures. After all, each of these applications may be vulnerable to events such as ‘Layer 7’ or ‘Application Layer DDoS’ attacks. This is done by trying to saturate network or server resources with a flood of traffic. The Website Application Firewall can help protect against these incidents.
In this article, we want to go over the various methods you can use to protect your website from such incidents and provide a brief explanation of what types of attacks are.
What is a website application firewall?
A website application creates a shield between the firewall web application and the World Wide Web. It filters out and monitors HTTP traffic from all incoming requests to that application. Filtering things like:
- Bad traffic (e.g. bots, spam traffic, etc.)
- File inclusion
- Blacklisted IP
- Contaminated injection
- SQL injection
By putting this in front of your app, you will better protect your app from malicious actors.
What is an application layer DDoS attack?
These attacks are called application-level attacks or level 7 (L7) because of the method used to attack. Where your typical DDoS attack can hit the network level with things like volumetric flooding, application-level attacks can bring it down by focusing on depriving the server of its resources.
Common Layer 7 Attack
The most common application-layer DDoS attack that you often see is HTTP flooding. This is done by directly attacking the web server. There are a few different types.
1. General HTTP Floods:
In such attacks, the malicious actor sends HTTP requests (GET / PUT) which the web server will believe to be from the actual user of your web application. Such attacks are easy to identify because they usually have the same range of IP addresses, user agents, or referrals. These are used by repeatedly flooding a certain resource until the server stops responding.
You can see this in the example above. The goal is to overload the server with the request only. This type of attack can be easily mitigated by a website application firewall monitoring as it will only block the offending IPK from triggering its ruleset.
2. Random HTTP flood:
Similar to normal HTTP flooding.
In the example above, you can see that different IP addresses are hitting multiple times in different paths – in this example, they all happened within minutes which easily overwhelmed the server. Having a broad IP in the hands of a corrupt actor makes it even more difficult to mitigate.
3. Cache-bypass (cache-busting) HTTP flood:
This is probably one of the smartest types of HTTP flooding. This method of flooding is used against websites that need to be cached, usually CDN (Content Delivery Network). This method uses a variety of query strings to avoid the caching provided. As a result, instead of returning the results to the server cache, the CDN or caching service must contact the original server for each search request.
You can see in the example above; Each request is a different question. If this website is behind a CDN, it will force a recovery against the original server. Hundreds of such requests will put pressure on the server in a short time.
4. WordPress XML-RPC Floods:
As of 2021, WordPress holds about 39% of the Internet’s power. As this number continues to grow, it means that we will see more of this as users begin to use WordPress. This attack takes advantage of WordPress using pingbacks from other websites. By abusing the pingback feature, they may force other WordPress websites to attack each other in order to verify the existence of the link used in the pingback.
It’s can detect by the following behavior:
5. Slowloris Attacks
Although not as frequent as other Level 7 attacks, Sloloris-style attacks are the opposite of what you think a DDoS would be. Solari’s attacks do not overload the server with large amounts of data. Instead, these attacks are carried out with the connections open to deliver their payloads within a specified period of time. This allows the webserver or service connection pools to be exhausted as it waits for a complete request. This enables the server to provide connections to other legitimate users.
Protect Layer 7 from attackers
Now that we have moved on to various common attacks, you are probably wondering how you can defend against them and the answer is quite simple. A WAF will help protect your website from Layer 7.
Frankly, there is no 100% way to protect yourself completely. The keywords for all of this are soothing.
Mitigation reduces the effectiveness of these attacks against your server which allows your website or applications to continue serving.
To do this, you need a managed website application firewall that is active to protect your server from such incidents.
