Help Center

  1. StackPath Help
  2. WAF
  3. Supplemental Information

Learn About the StackPath WAF

Avatar
Kevin Bond
Updated:

Overview

A Web Application Firewall (WAF) is an application firewall for HTTP applications. A WAF applies sets of rules and performs behavioral analysis to block malicious traffic from your origin server.

WAF covers known vulnerabilities, such as OWASP Top 10, and other common CMS specific vulnerabilities.

Based on the threat type, different rules will apply and different actions will trigger, such as a request block, a Captcha challenge, or a JavaScript challenge.

StackPath's WAF is comprised of a unique 2-tier SaaS.

The first tier is a cloud-based Central Security Cloud that analyzes traffic for:

  • Behavioral profiling
  • Inconsistency detection
  • Reputation recognition

The second tier is edge nodes that enforce security policies and deliver services distributed by the cloud.

When a request matches a rule, a challenge (such as Captcha or JavaScript challenge) will be delivered to the user. For example, if the request contains a string that includes Select * from db, then the SQLi rule will trigger and the user will be blocked.

StackPath offers 2 types of WAF, Standard and EnterpriseAt a high level, with Enterprise WAF, you can work with Support to:

  • Create custom rules
    • Standard WAF users can create custom rules for an additional charge. 
  • Create custom headers
  • Create custom sanction screens
  • Update DDoS settings

Anti-automation protection 

Cyber-criminals use automation to carry out attacks on web applications for several reasons. Automation tools: 

  • Enable the attacker to hit more applications and exploit more vulnerabilities than other manual methods.
  • Are available online and save the attacker time from studying attack methods and developing exploits that applications are vulnerable to. 
  • Are optimized to use resources more efficiently.

The StackPath WAF behavioral analysis blocks any non-human traffic. Advanced user behavioral analysis blocks automated scanners, bots, and other automated tools from accessing your application, while known bots, such are known search engine, are allowed.  

IP Reputation 

StackPath allows you to blacklist traffic that originates from well-known IP addresses. StackPath's Central Security Cloud constantly collects, updates, and validates these IP addresses using multiple sources. These IP addresses are blacklisted and published to all StackPath Service Nodes. With this information, you can decide to block, challenge, or allow traffic from highly suspect entities.

DDoS L7 Protection 

Note: 

Only Enterprise WAF users can see their DDoS L7 protection settings. Additionally, to update these settings, Enterprise WAF users must contact Support. 

The StackPath WAF offers protection against Application Layer (Layer 7) DDoS. Layer 7 attacks are often performed in bursts and are not always volumetric in nature. 

The WAF uses multiple techniques to detect and mitigate incoming attacks. 

This protection is always active, even if the WAF is in Monitor mode. 

The WAF uses multiple techniques to detect and mitigate incoming attacks. The DDoS mode will activate if any of the following 3 conditions are met: 

Condition type Description Values
Global threshold

This mechanism identifies a slow rise in traffic over a period of time.

This mechanism is responsible for identifying DDoS attacks that their traffic pattern consists of a slow rise in traffic over a period of time.

If the customizable threshold value is met AND if the current number of requests is at least two times (2X) the previous 10-second window, then the DDoS mode will be activated.

Default

  • This mechanism has a default DDoS threshold of 5000 requests per 10 seconds. 

Minimum

  • This mechanism has a minimum DDoS threshold of 250 requests per 10 seconds. 

Maximum

  • This mechanism has a maximum threshold of 10,000 requests per 10 seconds.

 
Burst threshold

This mechanism identifies sudden bursts in traffic. 

If the customizable threshold value is met AND the number of requests is at least five times (5X) the last 2-second interval, then the DDoS mode will activate.

Default

  • This mechanism has a default value of 500 request per 2 seconds.

Minimum

  • This mechanism has a minimum DDoS threshold of 30 requests per 2 seconds.

Maximum

  • This mechanism has a maximum threshold of 1,000 requests per 2 seconds.
Sub second threshold

This threshold protects WAF servers against attacks from traffic bursts.

When this threshold is reached, the DDoS mode will activate on the affected WAF server (not the WAF cluster). 

Default

  • This mechanism has a default value of 50 seconds. 
  • By default, StackPath maintains this threshold.

When DDoS mode is activated:

  • Every request will be challenged with a JavaScript validation.
    • The JavaScript Challenge detects if a valid user is making the request, and not an automated tool. Once passed, the user will not have to pass the challenge on future requests.
  • The mode will be active for a minimum duration of 10 minutes and then for the duration of the rest of the attack.
  • Any automated layer traffic will be blocked. 
    • This action will not take place against large search engines (Google, Bing, etc.). 
  • StackPath's bot-detection technology will block bots that:
    • Share IP addresses with human users
    • Frequently change their IP addresses

View DDoS statistics

  1. In the StackPath Control Portal, in the left-side navigation, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation, click Analytics
  4. Click the WAF tab. 
  5. Under Web Application Firewall Requests, mark DDoS L7 - Blocked to display DDoS data in the graph. 
Was this article helpful?

Related articles

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Contact Us