A Web Application Firewall (WAF) is an application firewall for HTTP applications. A WAF applies sets of rules and performs behavioral analysis to block malicious traffic from your origin server.
WAF covers known vulnerabilities, such as OWASP Top 10, and other common CMS specific vulnerabilities.
StackPath's WAF is comprised of a unique 2-tier SaaS.
The first tier is a cloud-based Central Security Cloud that analyzes traffic for:
- Behavioral profiling
- Inconsistency detection
- Reputation recognition
The second tier is edge nodes that enforce security policies and deliver services distributed by the cloud.
StackPath offers 2 types of WAF, Standard and Enterprise. At a high level, with Enterprise WAF, you can work with Support to:
- Create custom rules
- Standard WAF users can create custom rules for an additional charge.
- Create custom headers
- Create custom sanction screens
- Update DDoS settings
Cyber-criminals use automation to carry out attacks on web applications for several reasons. Automation tools:
- Enable the attacker to hit more applications and exploit more vulnerabilities than other manual methods.
- Are available online and save the attacker time from studying attack methods and developing exploits that applications are vulnerable to.
- Are optimized to use resources more efficiently.
The StackPath WAF behavioral analysis blocks any non-human traffic. Advanced user behavioral analysis blocks automated scanners, bots, and other automated tools from accessing your application, while known bots, such are known search engine, are allowed.
StackPath allows you to blacklist traffic that originates from well-known IP addresses. StackPath's Central Security Cloud constantly collects, updates, and validates these IP addresses using multiple sources. These IP addresses are blacklisted and published to all StackPath Service Nodes. With this information, you can decide to block, challenge, or allow traffic from highly suspect entities.
DDoS L7 Protection
Only Enterprise WAF users can see their DDoS L7 protection settings. Additionally, to update these settings, Enterprise WAF users must contact Support.
The StackPath WAF offers protection against Application Layer (Layer 7) DDoS. Layer 7 attacks are often performed in bursts and are not always volumetric in nature.
The WAF uses multiple techniques to detect and mitigate incoming attacks.
This protection is always active, even if the WAF is in Monitor mode.
The WAF uses multiple techniques to detect and mitigate incoming attacks. The DDoS mode will activate if any of the following 3 conditions are met:
This mechanism identifies a slow rise in traffic over a period of time.
This mechanism is responsible for identifying DDoS attacks that their traffic pattern consists of a slow rise in traffic over a period of time.
If the customizable threshold value is met AND if the current number of requests is at least two times (2X) the previous 10-second window, then the DDoS mode will be activated.
This mechanism identifies sudden bursts in traffic.
If the customizable threshold value is met AND the number of requests is at least five times (5X) the last 2-second interval, then the DDoS mode will activate.
|Sub second threshold||
This threshold protects WAF servers against attacks from traffic bursts.
When this threshold is reached, the DDoS mode will activate on the affected WAF server (not the WAF cluster).
When DDoS mode is activated:
- The mode will be active for a minimum duration of 10 minutes and then for the duration of the rest of the attack.
- Any automated layer traffic will be blocked.
- This action will not take place against large search engines (Google, Bing, etc.).
- StackPath's bot-detection technology will block bots that:
- Share IP addresses with human users
- Frequently change their IP addresses
View DDoS statistics
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- This action will refresh the portal.
- In the left-side navigation, click Analytics.
- Click the WAF tab.
- Under Web Application Firewall Requests, mark DDoS L7 - Blocked to display DDoS data in the graph.