Today’s businesses contend with a slew of sophisticated cyber threats, including ransomware and phishing. An attack does not need to be complex to cause significant harm. Distributed Denial of Service (DDoS) attacks, while relatively unsophisticated, stand out as one of the most disruptive threats organizations face.
Unlike data breaches that compromise or steal sensitive information, DDoS attacks target the “availability” aspect of the CIA triad (confidentiality, integrity, and availability), flooding websites with traffic to overwhelm servers and render them unusable. For industries that rely on constant online availability (think retail or financial services), DDoS attacks can lead to immediate revenue losses.
So says Josh Davies, Principal Technical Manager at Fortra’s Alert Logic, adding that businesses need to identify and mitigate these attacks at all costs. This is where web application firewalls (WAFs) come in. “A WAF offers a vital layer of defense by filtering incoming traffic to distinguish between the good and the bad. By leveraging machine learning, adaptive trust policies, and integrations with content delivery networks (CDNs), WAFs ensure business continues as usual.”
Disrupting Availability
Understanding DDoS tactics, traffic patterns, and methods of disruption is key to fighting back. DDoS attacks are delivered by botnets — a collection of compromised devices like IoT gadgets — and are available for rent on the dark web for mass-scale attacks. Unfortunately, when it comes to hiring botnet services, the juice is worth the squeeze; they are easy to use and relatively cheap, considering the amount of damage they can cause.
Any device with compute power can be used in a DDoS botnet if it’s connected to the internet and can make web requests. This ability makes smart devices the perfect target, as they have few built-in security controls. Simply said, botnets could be hordes of smart toothbrushes, fridges, or even lightbulbs. The individual requests are not malicious, in that there are no exploits in the request. Instead, they rely on a high volume of requests in a small amount of time to overwhelm the target server. If you’ve ever been desperately refreshing the ticket page for a concert, only for the server to crash and return an error, you technically participated in a DDoS attack!
Not all DDoS attacks are equal, either, Davies adds. “There are amplification attacks, a type of DDoS where malicious actors exploit weaknesses in a system’s configuration to increase the attack’s impact. For example, an “HTTP/2 flood” exploits the CONTINUATION frame by sending it without setting the END_HEADERS flag, resulting in an endless stream of headers effectively multiplying the amount of traffic sent.”
Part of a Bigger Picture
DDoS attacks often are part of a larger strategy. Attackers may use DDoS to distract IT and security teams while they conduct more sophisticated attacks, such as lateral movement within a system looking for sensitive data or additional targets. In some cases, DDoS attacks happen after a ransomware attack to pile on extra pressure to get the victim to pony up the ransom. This tactic is known as triple (or even quadruple) extortion.
In summary, DDoS attacks leverage bots to disrupt system availability. They frequently serve as a component of a broader malicious strategy intended to compromise the integrity and confidentiality of other systems.
Website DDoS Mitigation
DDoS attacks must be identified and mitigated before they overwhelm their intended targets. Blocking the malicious requests directly is a challenge, as they often resemble legitimate traffic. But having a WAF positioned in front of a web app can detect abnormal traffic spikes by leveraging machine learning algorithms and comparing current traffic patterns against established baselines.
An identified traffic spike triggers the DDoS mitigation mechanism. Traffic then is rerouted away from the server and absorbed by dedicated DDoS resources. Davies refers to this as the “DDoS playground, where the botnets can harmlessly expend their energy.”
But not every request will be part of the DDoS attack. The fact is some legitimate users may get caught up in this mitigation, so challenge and CAPTCHA actions must filter out legitimate human users caught in the DDoS net, a challenge that requires a requester (e.g., web browser, user device) to solve a problem silently (challenge) or human interaction to solve a puzzle (CAPTCHA). Human users who pass these tests gain access to the original website.
The Bigger Picture for Bots
Bots exclusively conduct DDoS attacks. So perhaps blocking all bots is a solution? Nope. Bots are automated tasks performed over the internet by a software app and are used for more than just DDoS attacks including legitimate actions.
Generally, there are three categories for bots:
Desirable bots
Also referred to as “good” bots, they perform desirable functions for website owners. An example is Google’s SEO bot, which helps relevant websites rank high in search engines. These bots also can automate processes like updating pricing data or improving website functionality.
Undesirable bots
These bots might not be malicious, but they are nevertheless unwelcome. They include data scrapers, which pull pricing or other competitive data from websites without permission. In addition to taking data, they consume compute power, draining server resources and potentially slowing down interactions with other desired users.
Malicious bots
These are bad bots created with ill intent. They conduct DDoS attacks or automated attacks and reconnaissance by scanning for vulnerabilities, often using tools like Nmap to find weaknesses in web servers.
The Role of Security for Web Apps & APIs
Most breaches start with web applications, which serve as the “front door” of the network, providing an ideal entry point. Even if they don’t begin with web apps, almost all breaches involve a web server, as they connect to sensitive data and perform critical business functions.
“Cyber crooks use bots to conduct reconnaissance scans across the web, scanning the internet for known vulnerabilities, hoping to find outdated software or misconfigurations,” says Davies. “After gathering data, they review which targets are vulnerable and begin exploiting those weaknesses manually or through automated attacks to establish initial entry.”
Reconnaissance bots are particularly “noisy,” sending hundreds or thousands of requests. Detecting them early means you can block subsequent attacks and limit the threat actor’s knowledge of your application. The more threat actors learn about your web apps, the greater their chances are for successful exploitation. That’s another reason why WAFs are critical — they help stop attackers before they can gather enough information to exploit vulnerabilities.
Similarly, application programming interfaces (APIs) require careful monitoring to distinguish between legitimate and malicious requests. Bots make most API requests, with only highly skilled engineers and technical professionals making direct requests. Bots function as intermediaries for websites, like how a news site uses an API to pull weather data from a meteorological service. Modern web pages may need hundreds of API requests to assemble content.
“This is why blocking all bots is not feasible when defending against DDoS attacks; there must be a way to distinguish between good and bad bots,” Davies explains.
API DDoS Mitigation
APIs require a different approach for DDoS protection, as redirecting or blocking traffic — such as those that fail a CAPTCHA or silent challenge — can unintentionally impact desirable bots, redirecting them alongside the malicious traffic involved in the DDoS attack.
Unlike people, bots can’t raise a ticket to say their access has been incorrectly blocked. Because of this, mistaken blocks may go unnoticed until a functionality issue is identified and troubleshot. To be effective, WAFs need a mechanism to identify beneficial bots. A useful WAF also needs to give security teams visibility into how it will treat different groups of bots.
WAF & Bot Management
Bot management goes beyond merely aiding DDoS controls; it’s essential for safeguarding digital assets. Effectively blocking unwanted and malicious bots while protecting legitimate ones is crucial, not only in the face of volumetric DDoS attacks but for maintaining overall security and performance.
Customized rules can be created for specific bots and block others. Robust WAFs maintain a list of known bots and use machine learning to identify anomalies. This process includes validating these bots, not just by user agent strings as these can be spoofed, but by comparing IP addresses and other data points to confirm authenticity. Quite simply, taking a multi-layered approach improves security.
“For organizations that prefer a more controlled approach, a WAF can lock down access and only allow specific, pre-approved bots,” Davies says. “In contrast, undesirable bots either can be blocked outright or subjected to challenges like CAPTCHA to ensure they are legitimate users and not automated scripts. A good WAF solution also will use rate limiting to restrict the number of requests from a single source within a set timeframe.”
Adaptive trust
A WAF’s flexibility also comes into play through adaptive trust-based policies. “These policies allow the WAF to adjust the level of scrutiny based on the perceived risk of a connection,” explains Davies. “If a user or bot exhibits suspicious or anomalous behavior, stricter rules are applied, making it harder for potential threats to slip through the net. For trusted users or bots, more lenient rules are applied. This approach minimizes false positives while ensuring security.”
Positive & Negative Policies
A key component of WAF management is the use of positive and negative policies to filter traffic:
Positive policies
This approach blocks all traffic by default and only allows requests meeting predefined, trusted criteria. Proactive policies are highly effective at preventing zero-day attacks. Even if a new exploit is unknown and doesn’t meet the criteria for legitimate traffic, it is automatically blocked. There is a caveat —maintaining positive policies requires constant updates to ensure they align with web app changes.
Negative policies
Conversely, negative policies allow all traffic by default and block requests that match known attack patterns. This approach may not block as many unknown threats as positive policies. But it still offers substantial protection by continuously updating to defend against the latest known exploits.
Robust WAF solutions combine both positive and negative policies, depending on the specific web application and its requirements. This hybrid approach allows the WAF to adapt to different attack scenarios and web environments.
Navigating the Challenges of WAF Management
Managing a WAF can be complex, especially when trying to balance between false positives and false negatives. As a result, many businesses opt for a managed solution, enabling WAF experts to oversee their configuration and optimization.
In addition to enhancing security, using a managed security service provider (MSSP) for WAF management provides several other advantages. Notably, it reduces friction between security and development teams, as the security team is no longer held responsible for issues stemming from blocked legitimate requests. “Instead, organizations can depend on external experts to fine tune their WAF to ensure maximum security with minimal disruption,” says Davies.
Take a Look at Fortra Managed WAF
Fortra Managed WAF delivers proactive web application and API security and takes away the complexity that comes from managing it internally. By leveraging advanced filtering techniques and machine learning, apps and APIs are protected against DDoS attacks and unwanted bots.
In large-scale DDoS attacks, Fortra Managed WAF diverts malicious traffic into a “DDoS playground,” using cloud resources from the largest cloud providers, Azure and AWS, to absorb even the largest of volumetric attacks. Integrated CAPTCHA puzzles and silent challenges allows legitimate traffic to flow uninterrupted, ensuring business continuity.
Fortra Managed WAF’s DDoS defense capabilities are enhanced through collaboration with external CDNs. By caching content at the network edge, CDNs play a crucial role in mitigating DDoS attacks and reducing the load on the origin server. For instance, if thousands of users simultaneously request the same web page, a CDN can serve the content from a static, cached version, preventing the origin server from being overwhelmed. Fortra’s deployment team can integrate our WAF with any CDN of choice.
Ready to maximize your web app security and minimize disruption? Learn more about Fortra Managed WAF.
