DDoS and Resource Attacks Mitigation in Fortra WAF

This document includes the following sections. Click on the link to go to the corresponding section to learn more:

To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.

To go to the previous section, see Get Started with Alert Logic Managed Web Application Firewall (WAF). To go to the next section, see About Alert Logic Managed Web Application Firewall (WAF).

Be prepared

Resource attacks, such as distributed-denial-of-service (DDoS) and denial-of-service (DoS) attacks, pose significant threats to web applications and APIs. These attacks can overwhelm system resources, leading to service disruptions and degraded performance. Fortra Web Application Firewall (WAF) provides robust mechanisms to mitigate these attacks, ensuring the protection of both human visitors and API resources.

It is strongly recommended that brute force and resource consumption/exhaustion controls be configured in advance to be effective when the protected web applications or APIs are under attack.

This document outlines the strategies and features of Fortra WAF in mitigating resource attacks, with a clear distinction between protecting resources intended for human visitors and API resources.

Ensuring readiness against DDoS and DoS threats

Being prepared for DDoS and DoS attacks is crucial for maintaining the availability and performance of web applications and APIs. These attacks can cause significant disruptions, leading to loss of revenue, compliance failures, and damage to brand reputation. Here are some key reasons why preparation is essential:

  1. Minimizing downtime: DDoS and DoS attacks can render services unavailable, causing downtime that can impact business operations. By being prepared, organizations can minimize downtime and ensure continuous availability of their services.
  2. Protecting revenue: Downtime caused by DDoS and DoS attacks can lead to loss of revenue, especially for e-commerce and online service providers. Preparedness helps in maintaining service availability and protecting revenue streams.
  3. Maintaining customer trust: Frequent service disruptions can erode customer trust and damage the organization’s reputation. Being prepared for DDoS and DoS attacks helps in maintaining customer trust by ensuring reliable service delivery.
  4. Compliance and legal requirements: Many industries have compliance and legal requirements for maintaining service availability and protecting customer data. Being prepared for DDoS and DoS attacks helps organizations meet these requirements and avoid potential legal consequences.
  5. Efficient incident response: Preparation involves having a well-defined incident response plan in place. This ensures that the organization can quickly detect, classify, and mitigate DDoS and DoS attacks, reducing their impact.

Proactive measures for DDoS and resource exhaustion defense

There are several technical reasons for being prepared for DDoS and DoS attacks:

  1. Baselining normal traffic: Fortra WAF profiles traffic patterns to establish a baseline of normal behavior. This allows the WAF to automatically detect surges in traffic that deviate from the norm, triggering protective measures to mitigate potential attacks. By understanding what constitutes normal traffic, the WAF can more accurately identify and respond to anomalies that may indicate an attack.
  2. Learning API usage patterns: For APIs, Fortra WAF learns which IP addresses normally use the API. This helps in creating a list of known good IPs that can be trusted during an attack. By maintaining this list, the WAF can restrict access to these trusted IPs, ensuring that legitimate traffic is not disrupted.
  3. Automated detection and response: The WAF integrates with cloud infrastructure to automatically detect abnormal increases in traffic and activate DDoS protection measures. This includes deploying access control lists (ACLs) and challenges like silent JavaScript-based challenges or CAPTCHAs to filter out malicious traffic.
  4. Session anomaly detection: Fortra WAF uses advanced machine learning models to build baselines of normal user behavior or normal API usage. This allows the WAF to detect and respond to session anomalies that may indicate malicious activity, such as unusual patterns of requests or unexpected spikes in traffic.
  5. Pre-Configuration of Controls: It is essential to enable and configure these controls before an attack occurs. By doing so, the WAF can respond automatically and effectively based on good baselines. This proactive approach ensures that the system is prepared to handle attacks without manual intervention.

DDoS vs DoS Protection

Denial of service (DoS) attacks: DoS attacks, such as SlowLoris and other "slow" attacks, aim to exhaust server resources by sending incomplete requests that keep connections open for as long as possible. This type of attack can be particularly effective against web servers that allocate resources for each connection, eventually leading to resource exhaustion and service unavailability. Fortra WAF protects from slow DoS attacks by buffering and validating the entire request before sending it to the protected web application. This ensures that only complete and valid requests reach the application, preventing resource exhaustion and maintaining service availability.

Distributed denial of service (DDoS) attacks: DDoS attacks involve multiple machines (often part of a botnet) flooding a target with traffic, making it difficult to trace the origin and mitigate the attack. DDoS attacks can be much more damaging than DoS attacks due to the sheer volume of traffic they generate.

Importance of pushing DDoS protection upstream: To effectively mitigate large-scale DDoS attacks, it is crucial to push protection upstream into scalable infrastructure. By leveraging scalable resources and DDoS protection services, organizations can absorb and mitigate large-scale attacks before they reach the application layer. This approach ensures that the infrastructure can handle extreme loads, preventing service disruption and maintaining availability. Fortra WAF can orchestrate both AWS and Azure resources for DDoS protection. While only AWS supports CAPTCHA and JavaScript challenges, both AWS and Azure support filtering for known good IPs.

Fortra WAF orchestrates AWS and Azure DDoS protection resources automatically. When an abnormal increase in traffic is detected, the WAF can "hook in" AWS WAF or Azure WAF with prepared ACLs to challenge clients using silent JavaScript-based challenges or CAPTCHAs (for AWS). This pushes prevention into the AWS or Azure infrastructure, which can scale to absorb the attack and only allow legitimate traffic through.

Protecting resources intended for human visitors

DDoS and DoS attack mitigation: Fortra WAF employs a multi-layered approach to mitigate DDoS and DoS attacks. This includes rate limiting, traffic shaping, and IP reputation filtering to block malicious traffic before it reaches the application. By continuously monitoring traffic patterns, Fortra WAF establishes a dynamic baseline of normal traffic behavior. Any deviation from this baseline triggers protective measures, such as CAPTCHA challenges, to verify human interaction and deter automated attacks.

Credential attack protection: Fortra WAF detects and blocks brute force attacks by monitoring login attempts and implementing rate limiting and account lockout mechanisms. This prevents attackers from systematically trying numerous password combinations to gain unauthorized access. Additionally, the WAF employs behavioral tracking and CAPTCHA challenges to detect and mitigate credential stuffing attacks, where attackers use stolen credentials to gain access to user accounts.

Bot management: Fortra WAF uses advanced bot management techniques to identify and block malicious bots that attempt to misuse resources. This includes distinguishing between legitimate human traffic and automated bot traffic, ensuring that resources are available for genuine users.

Protecting API resources

API exploit protection: Fortra WAF enforces API schema validation based on the API definition. This ensures that only requests conforming to the expected schema are accepted, blocking any malicious or malformed requests. The WAF employs both positive and negative security models to protect APIs. Positive security models allow only predefined valid requests, while negative security models block known attack patterns and malicious connection attempts.

DDoS and DoS attack mitigation for APIs: Fortra WAF provides Layer 7 protection specifically for APIs, managing high volumes of traffic to prevent resource exhaustion. This ensures that API endpoints remain available even during extreme-scale DDoS attacks. The WAF also implements rate limiting and traffic shaping for API requests, preventing abuse and ensuring fair usage of resources.

Rate limiting vs. known good IPs: When under a DDoS attack, two primary strategies can be employed to protect API resources: rate limiting access and only allowing known good IPs.

  • Rate limiting access: This strategy involves setting limits on the number of requests that can be made to the API within a specific time frame. Rate limiting helps to prevent any single client from overwhelming the API with excessive requests. It ensures fair usage of resources and can be effective in mitigating DDoS attacks by distributing the load more evenly across legitimate users. However, rate limiting may not be sufficient for large-scale DDoS attacks where the volume of traffic is extremely high. For example, if the number of attacking source IPs is significantly larger than the number of benign clients, the application resources may still be exhausted due to the sheer number of attacking clients, leading to service disruption for legitimate users.
  • Only allowing known good IPs: This strategy involves predefining a list of trusted IP addresses that are allowed to access the API. During a DDoS attack, access is restricted to these known good IPs, effectively blocking all other traffic. This approach is particularly useful for protecting APIs where automated clients cannot complete JavaScript challenges or CAPTCHAs. By limiting access to trusted clients, the API remains available to legitimate users while blocking malicious traffic. Fortra WAF automatically learns and maintains the list of known good IPs, ensuring that the list is always up-to-date and reducing the administrative burden.

Bot management for APIs: Fortra WAF protects API resources from unauthorised bot activity by implementing bot mitigation techniques, such as rate limiting, CAPTCHA challenges, and IP reputation filtering. The WAF enforces rate limits on API requests to prevent resource misuse by automated bots, ensuring that legitimate API consumers have access to the resources they need.

Controlling unwanted bots consuming CPU and bandwidth

Unwanted bots can consume significant CPU and bandwidth resources, leading to degraded performance and increased operational costs. Fortra WAF provides several controls to manage and mitigate the impact of unwanted bots:

  1. Bot detection and classification: Fortra WAF uses advanced algorithms to detect and classify bot traffic. By distinguishing between good bots (e.g., search engine crawlers) and bad bots (e.g., data scrapers, spam bots), the WAF can apply appropriate controls to manage bot traffic.
  2. Rate limiting for bots: Implementing rate limits specifically for bot traffic helps to prevent any single bot from consuming excessive resources. This ensures that legitimate human users and good bots can access the application without being affected by the activities of bad bots.
  3. CAPTCHA challenges: Fortra WAF can deploy CAPTCHA challenges to verify that the connection is not a bot trying to impersonate a non-bot client. This helps to ensure that only legitimate human users can access the application. Connections that fail the CAPTCHA challenge can be blocked, rate limited, blacklisted, or otherwise controlled, reducing their impact on CPU and bandwidth.
  4. IP reputation filtering: By leveraging IP reputation databases, Fortra WAF can block traffic from known malicious IP addresses. This helps to prevent unwanted bots from accessing the application and consuming resources.
  5. Behavioral analysis: Fortra WAF continuously monitors traffic patterns and behaviors to identify anomalies that may indicate bot activity. By analyzing factors such as request frequency, session duration, and navigation patterns, the WAF can detect and mitigate unwanted bot traffic.

Bot controls based on user-agent header: Bot controls in Fortra WAF are based on the bot correctly identifying itself in the user-agent header. For bots that identify themselves, controls are applied based on the type of bot and the strength of validation. The strength of validation is based on the following distinctions:

  • Strong validation: Bot user agent is verified based on DNS or ASN information provided by the bot owner. Examples of bots with strong verification include:
    • Googlebot: Verified through reverse DNS lookups and ASN information provided by Google.
    • Bingbot: Verified through reverse DNS lookups and ASN information provided by Microsoft.
    • Yandex bot: Verified through reverse DNS lookups and ASN information provided by Yandex.
  • Weak validation: Bot user agent is verified based on IP source information provided by third-party bot information services.

If a client connection does not declare itself as a known, validate-able bot but exhibits bot behavior, it is classified differently, and specific controls for that case are applied. This ensures that even stealthy or deceptive bots are effectively managed and mitigated.

Recommended controls

Protecting web applications and APIs from resource exhaustion and brute force attacks is crucial for maintaining the availability and performance of your services. Fortra WAF offers robust features to mitigate these threats. This section outlines the recommended controls for configuring Fortra WAF to protect against these types of attacks.

Summary of recommended controls:

  • DDoS Protection: Enable automatic DDoS detection and configure global and individual website settings.
  • Manual DDoS Protection: Option to manually enable or disable DDoS protection.
  • Brute Force and Credential Stuffing Protection: Automated detection with a 7-day trailing baseline and one-hour granularity.
  • Bot and Client Automation Management: Classify and manage bots and automated clients, including CAPTCHA challenges and custom rules.
  • Session Anomaly Detection: Use machine learning to detect anomalous sessions.
  • CAPTCHA Challenge: Configure CAPTCHA challenges served by the WAF, Google reCAPTCHA, or hCaptcha.
  • L7 Source IP and Geolocation Based Controls: Manage connections based on source IP and geolocation, including request throttling.
  • Access Logging: Access logs are useful for manual analysis and extraction of good and bad source IPs.

DDoS protection

DDoS protection with Fortra WAF on AWS

Fortra WAF leverages AWS DDoS mitigation capabilities to protect web applications deployed in AWS, on-premises, or in other cloud environments. It is recommended to combine Fortra WAF with CloudFront CDN to cache content at edge locations, absorb traffic spikes, reduce latency, and strengthen overall defense.

Key capabilities:

  • Automatic provisioning of WAF rules to CloudFront and ALB.
  • JavaScript or CAPTCHA challenge-based validations for human traffic.
  • Dynamic IP allowlisting to restrict API access exclusively to verified clients during an attack.
  • Continuous traffic baselining and real-time anomaly detection.

Enable DDoS detection and protection in Fortra WAF:

  1. Configure AWS credentials:
    1. Navigate to System > Configuration.
    2. Enter your AWS credentials or select Use delegated IAM role to allow Fortra WAF to interact with AWS services.
  2. Configure global settings for DDoS protection:
    1. Navigate to Websites > Global Settings > Distributed Denial of Service protection.
    2. Select the Enable Automatic DDoS Detection checkbox.
    3. Register your CloudFront distribution or ALB ARN.
    4. Configure an immunity period for CAPTCHA/JS challenges.
  3. Configure DDoS protection for individual websites:
    1. Navigate to Policy > Website Global Policy > Distributed Denial of Service protection.
    2. Select the Enable Automatic DDoS Detection checkbox.
    3. Select a protection method (JavaScript, CAPTCHA, or Known Good IPs).
    4. Set the Module status to Active.

With this configuration, Fortra WAF will baseline traffic patterns for a trailing 7 days with one-hour granularity and automatically enable cloud-based DDoS protection if traffic surges deviate substantially from the trailing baseline. If a website for which DDoS protection is enabled is under attack, DDoS protection will be enabled for all websites behind the CloudFront or ALB ARN that are configured for DDoS protection.

DDoS protection with Fortra WAF in Azure

Fortra WAF also supports DDoS protection for web applications running in Azure. The configuration steps and automation are the same as for AWS, but Azure only supports IP allowlisting, and prevention only applies to web applications running in Azure.

Key capabilities:

  • IP allowlisting to restrict API access exclusively to verified clients during an attack.
  • Continuous traffic baselining and real-time anomaly detection.

Enable DDoS detection and protection in Fortra WAF:

  1. Configure Azure credentials:
    1. Navigate to System > Configuration.
    2. Enter your Azure credentials to allow Fortra WAF to interact with Azure services.
  2. Configure global settings for DDoS protection:
    1. Navigate to Websites > Global Settings > Distributed Denial of Service protection.
    2. Select the Enable Automatic DDoS Detection checkbox.
    3. Register your Azure web application.
    4. Configure an immunity period for CAPTCHA/JS challenges.
  3. Configure DDoS protection for individual websites:
    1. Navigate to Policy > Website Global Policy > Distributed Denial of Service protection.
    2. Select the Enable Automatic DDoS Detection checkbox.
    3. Select a protection method (IP Allowlisting).
    4. Set the Module status to Active.

With this configuration, Fortra WAF will baseline traffic patterns for a trailing 7 days with one-hour granularity and automatically enable DDoS protection if traffic surges deviate substantially from the trailing baseline. This ensures that your Azure-based web applications are protected against DDoS attacks.

Access logging

Enabling access logging is highly recommended as it provides valuable insights during an attack. Access logs are useful for manual analysis and extraction of good and bad source IPs. This feature is configured in Policy > Basic Operation > Access Log Settings.

Configuration steps:

  1. Navigate to Policy > Basic Operation > Access Log Settings.
  2. Enable access logging by selecting the appropriate options.
  3. Configure the log format as needed. The recommended access log format is NCSA extended/combined with Add roundtrip time and cache info to access log format selected to add server response time and cache info.
  4. Configure migration to external storage. To prevent access logging from consuming excess disk space, it is recommended to automatically migrate access logs to an external server. This can be configured in System > Configuration > Auto backup. By setting up automatic backups, you ensure that access logs are regularly transferred to an external server, thus maintaining optimal disk space on the WAF.

Enabling/disabling DDoS protection manually

While the DDoS protection response is automated, it is possible to manually enable or disable DDoS protection if desired. This can be done by navigating to Websites > Global Settings > Distributed Denial of Service protection and clicking the Enable protection globally or Disable protection globally buttons.

Brute force and automation protection

Brute force and credential stuffing protection

Brute force and credential stuffing detection in Fortra WAF is automated and designed to protect your web applications effectively. This protection is configured in the Policy > Website Global Policy > Credentials stuffing and Brute Force protection section.

  • Automated Detection: Fortra WAF automatically detects brute force and credential stuffing attacks.
  • Configuration Path: Set up protection in Policy > Website Global Policy > Credentials stuffing and Brute Force protection.
  • Traffic Baseline: Maintains a 7-day trailing baseline with one-hour granularity.
  • Traffic Pattern Analysis: Captures variations in traffic patterns to accommodate normal weekly peaks.
  • Response to Unusual Activity: Monitors and analyzes traffic to detect and respond to potential attacks, ensuring application security.

When you configure protected paths, the WAF will automatically maintain a 7-day trailing baseline with one-hour granularity. This high granularity ensures that variations in traffic patterns are captured, allowing the system to accommodate normal peaks during the week. By continuously monitoring and analyzing traffic, Fortra WAF can detect and respond to unusual activity that may indicate a brute force or credential stuffing attack, ensuring your applications remain secure.

Bot and client automation management

Managing bot and client automation is crucial to prevent automated attacks and ensure that only legitimate users access your services. Fortra WAF provides a comprehensive set of rules and controls to manage bot and client automation effectively:

  • Bot Classification: Fortra WAF uses a pre-classified database of well-known bots and automated clients. It can identify and act on requests from these entities.
  • Falsified User Agents: The WAF can detect and block bots that impersonate other, possibly more trustworthy, bots by using falsified user-agent strings.
  • Unknown User Agents: Fortra WAF can distrust activity from unknown user agents and verify that a human is driving the session by issuing a CAPTCHA challenge.
  • Custom Rules: Administrators can create custom rules to manage specific bot and client automation scenarios, enhancing the flexibility and effectiveness of the WAF.

To configure bot and client automation management, navigate to Policy > Website Global Policy > Bot and Client Automation Management and set up the desired rules and controls.

Session anomaly detection

Session anomaly detection is a feature that groups user requests into sessions and uses machine learning to create models representing typical traffic patterns. These models predict if a future session is anomalous or not.

  • Session Grouping: User requests are grouped into sessions based on a specific time period and request count.
  • Machine Learning Models: Fortra WAF uses machine learning to create models of typical traffic patterns.
  • Anomaly Prediction: The models predict whether a session is anomalous by comparing it against the trained model.
  • Configuration: By default, session anomaly detection is disabled. Activate it by changing the Module status from Inactive to Active, then save and apply the changes.

To configure session anomaly detection, navigate to Policy > Website Global Policy > Session Anomaly Detection and set up the desired settings.

CAPTCHA Challenge

CAPTCHA challenges are an effective way to ensure that only human users can access your services. This feature is configured in Policy > Website Global Policy > CAPTCHA Challenge and applies to challenges served or injected by the WAF, not those served when DDoS protection is pushed into the cloud.

Configuration options:

  • CAPTCHA Challenge Served by the WAF: A standard CAPTCHA text image recognition challenge provided directly by the WAF.
  • Google reCAPTCHA v2 Checkbox: Integrates Google reCAPTCHA v2 for a checkbox-based challenge.
  • hCaptcha Checkbox: Utilizes hCaptcha for a checkbox-based challenge.

Third-party CAPTCHA credentials: For Google reCAPTCHA and hCaptcha, third-party CAPTCHA credentials must be configured in System > Configuration.

L7 Source IP and Geolocation-based controls

L7 Source IP and Geolocation-based controls allow you to manage connections to the WAF based on their source IP and geolocation. This is a two-step procedure:

  1. Source classes: Source IPs are associated with different source classes depending on their origin, proxies they connect through (like TOR or anonymizing VPNs), or controls they trigger, such as Bot and Client Automation controls. These source classes are organized in a table with an expandable section containing unconfigured GeoIP country groups.
  2. Control Groups: Source classes are then mapped to Control Groups, which determine how the connections are managed. Control Groups can be configured to:
    1. Violation: Treat requests as violations.
    2. Trust: Lower connection trust, subjecting them to additional assessment.
    3. Challenge: Present requests with a CAPTCHA challenge.
    4. Req Throttle: Assign an HTTP request throttling zone to the control group. Four different zones are available. Throttling traffic from bots that are suspected to provide dubious value but consume resources and bandwidth can help maintain the performance and availability of your web applications.

By default, the module for L7 Source IP and Geolocation-Based Controls is disabled. To enable it, change the Module status from Inactive to Active, save the configuration, and then apply the changes.

Configuration Path: Navigate to Policy > Website Global Policy > L7 Source IP and Geolocation-Based Controls to set up the desired rules and controls.

Emergency measures for unconfigured DDoS protection

In the event of a DDoS attack where the WAF was not proactively configured, the following emergency measures can be taken to mitigate the impact of the attack. These measures are divided into two scenarios based on the traffic load and the available resources.

Scenario 1: Manageable traffic load

If the traffic load is manageable and can be handled by the WAF and the website network bandwidth, the following steps can be taken:

  1. Enable throttling: Activate rate limiting to control the number of requests per second from individual IP addresses. This helps to prevent overwhelming the server with excessive traffic.
  2. Enable CAPTCHA challenges: If the website is intended for human users, enable CAPTCHA challenges to verify that the incoming traffic is from legitimate users and not automated bots.
  3. IP allowlisting for APIs: If an API is being attacked, analyze known good and known bad access logs to build custom IP lists. The Web Security Expert (WSX) team has a tool to analyze access logs.
    1. Upload IP lists to WAF: Upload the custom IP lists to the WAF.
    2. Configure controls in L7 Source IP and Geolocation-Based Controls: Prefer IP allowlisting over blacklisting known bad IPs to ensure that only legitimate traffic is allowed through.
  4. IP connection limiting and IP request throttling: Implement IP connection limiting and IP request throttling as documented in the DoS Mitigation section of this manual. This helps to limit the number of connections and requests from individual IP addresses. Note that the WAF must see the actual connection source, meaning it should not be running behind a Layer 7 (L7) proxy.

Scenario 2: Severe DDoS attack requiring upstream protection

In cases where the DDoS attack is severe and the only option is to push protection upstream into expanding cloud resources; the following steps can be taken. This assumes that the attacked website is behind CloudFront or an Application Load Balancer in AWS or Azure:

  1. Configure DDoS protection for websites: For websites intended for human users, configure DDoS protection and enable it manually to stop attackers using CAPTCHA or Challenge (for AWS).
  2. IP allowlisting for APIs and Azure websites: If the target is an API or the website is in Azure, analyze known good and known bad access logs to build custom IP lists. The WSX team has a tool to analyse access logs.
    1. Upload IP lists to WAF: Upload the custom IP lists to the WAF.
    2. Configure distributed-denial-of-service protection: Include the Known Good lists in the IP allowlists that are configured for cloud DDoS protection to ensure that only legitimate traffic is allowed through.

These measures can help mitigate an attack in situations where the WAF was not proactively configured. However, the response is less complete and granular, and while trying to maintain service for existing well-behaving web application users, there may be unintended consequences compared to a more prepared response.