Denial-of-Service (DoS) mitigation is best handled at the load balancer before the web application firewall (WAF), but in the event that you want to leverage the WAF to mitigate a DoS, there are a few options:
- DoS attacks that leverage special characters to try to get the website to behave in erratic ways will be blocked by default by our attack signatures.
- DoS attempts in which an attacker floods the WAF with requests from the same IP address can be mitigated with our DoS mitigation module, which limits the rate of new connections within a certain amount for a time interval. Otherwise, it temporarily blacklists that IP address.
- If DoS attempts contain malicious characters, attack source auto-blocking can be enabled, where any IP address whose request is blocked by the WAF a certain amount of times within a set time frame has their IP address temporarily blocked.
- In the event that an attacker is frequently changing IP addresses while trying to deny service and sending only legitimate requests with no content that would flag our attack signatures, the WAF can leverage "HTTP Request & Connection throttling," which will not stop the attack from happening, but will be able to slow the responses down.
Note: Leveraging the WAF to mitigate a DoS depends on the deployment type and severity of the attack.
In physical, virtual, Amazon Web Services (AWS) standalone or High Availability (HA), Microsoft Azure, and Google Cloud Platform deployments, the Alert Logic web application firewall has DoS mitigation features that, when enabled, can automatically block IPs exceeding configurable limits for a specified amount of time. Each website can also be configured to block source IPs for logged events or via manual blocking.
In AWS Auto-Scaling, the above options are disabled and only the AWS denial-of-service mitigation will be used. AWS standalone or HA customers can also choose to utilize the AWS denial-of-service mitigation.
|Physical / VMWare
|AWS standalone or HA
|Google Cloud Platform