Through the Alert Logic Managed Web Application Firewall (WAF), Denial of Service (DoS) mitigation is possible; however, it is very limited and only effective on a WAF in an internet-facing zone (like a DMZ) that has direct access to the internet. This means that the WAF is the first entry point to the customer’s environment. Settings like blacklisting and DoS mitigation controls that work on the client IP are only effective when the WAF is terminating the original request as received from the internet. When the WAF is deployed behind a Layer 7 device that hides the client IP at the network layer, these settings should not be enabled.
With this in mind, DoS mitigation can only be done in physical or VMware virtual environments. This setting only applies to DoS and not the more common Distributed DoS (DDoS) where the attacking IP can change multiple times across requests. It is therefore recommended to have a DDoS device before reaching the WAF (at the Network level).
When behind a load balancer or internal to the network, the WAF can use other Layer 7-type blocks that operate at the application layer. These include:
- Attack source auto-blocking – Blocks based on deny logs number and criticality level
- Throttling – IP addresses are tracked and limited by number of requests
- Immediate Blacklisting – Same as Attack source autoblocking but this is for a single log seen
- Manual IP blacklisting – Add IP to blacklist
- Geo IP – Based on the geographical origin of the source
Note: The above “Attack source” and “Immediate Blacklisting” layer 7 blocks may block the load balancer IP since they use the socket connection (Network Interface link) for blocking, which can cause site availability issues. It is critical that the load balancer IP is whitelisted before enabling any of these settings to avoid outages.
For more information, refer to the Alert Logic Managed WAF Manual.