What is a Web Application Firewall WAF?

A Web Application Firewall, commonly abbreviated to WAF, is the first line of defence against a cyber-attack specifically targeting a web application. A WAF works like a protective filter that monitors all HTTP traffic being sent between a user and an application. This traffic is then analysed by the WAF, which detects and blocks any malicious activity based on a set of pre-defined policies. This allows you to identify and preemptively isolate suspicious requests being sent to the website before a malicious user has the chance to gain access. The ability to customise these policies based on your requirements allows you to adapt to new hacking methods to position yourself one step ahead of attackers. This level of flexibility is essential due to the evolving nature of online threats and the escalating complexity and frequency of online breaches.

What sets a WAF apart from a regular network firewall is that the WAF works at the application level, meaning it can detect behaviour that may otherwise go unnoticed. Specifically, for companies that offer customer-facing services such as eCommerce shopping of online banking, a WAF is an essential security asset to ensure the protection of customer information. A vast amount of sensitive data – email addresses, phone numbers, bank details – is stored in databases that can be accessed via the web application. Data of this nature is typically targeted by attackers who will them employ different tactics to exploit unsuspecting users with spam emails and phishing scams. Additionally, the implementation of a WAF is a necessary step in achieving PCI DSS compliant status, an essential accolade for eCommerce business ventures.

Although a WAF doesn’t offer full protection against every conceivable method of attack available to cyber-criminals, it is a strong and flexible solution that is specifically designed to protect against some of the most effective and widely used threats as defined by OWASP. These include the following:

  • SQL Injection: Involves injections an SQL query or command into a form to gain unauthorised access to a backend database. Once this method has been used, the attacker
  • DDoS (Distributed Denial of Service): DDoS attacks overload a server with more traffic that it can process. This typically results in a crash and a loss of service for the website, potentially incurring a huge financial loss as well as leaving the systems in a state of vulnerability for subsequent attacks.
  • Cross-site scripting (XSS): Cross- site scripting involves using malware to fool a user into executing a malicious piece of Javascript or HTML code.
  • Zero-day threats: Zero-day threats are vulnerabilities that are exploited as soon as they are discovered before the flaw can be patched. Often when system software is updated, it can lead to new vulnerabilities being created and abused.
  • Cookie Poisoning: This method of attack includes modifying a cookie that is then sent back to the server. This ‘poisoned’ cookie can then be used to make changes, delete data or steal information.
  • Web Scraping: Web scraping simply involves extracting data from one site to another.
  • Parameter Tampering: Manipulating data sent between the website and the server to ‘tamper’ with information on the site such as prices.
  • Buffer overflow: Overloading temporary data storage causing the data to ‘leak’ out. This data can then be modified to trigger a response to reveal private information or cause file damage.

Types of WAF

  • Blacklist WAF: A blacklist WAF works on a negative security model to allow most traffic and only isolate specifically known threats to deny access. This method works to a point; however, the list of known threats can quickly become outdates as new security exploits are discovered by hackers.
  • Whitelist WAFs: A whitelist WAF uses a positive security model to strictly allow access to select users and IP addresses that have been given security clearance and meet specific criteria. This is a much stronger configuration of WAF however it can require more maintenance time as users increasingly request approval before being granted access.
  • Hybrid WAF: A hybrid WAF uses combined security models from both blacklist and whitelist WAFs to offer a ‘best of both’ solution. This is the most common form of WAF available.

When building and maintaining a business in a rapidly evolving environment like the internet, staying one step ahead of emerging threats can be a significant challenge. With new methods of forcing access and stealing information constantly being exploited by hackers, the ability to adapt to these threats is a necessity. Although advancements in technology continuously offer improved methods of attack for cyber criminals, it has also spawned many defensive options that you can use to shield yourself online, such as the WAF.

Looking for a cost-effective Web Application Firewall(WAF)?

CloudFence Offers a market leading WAF to prevent your site from malicious attack.

Find Out More

What Is a CDN And Why Should You Be Using One?

At its core a CDN, or Content Delivery Network, does exactly what its’ name suggests – provides an efficient way of securely distributing web content to users across the globe. Information transfer isn’t instantaneous. If a user in Europe tries to connect to a web server in America, the data transfer is going to take a frustrating amount of time to travel, resulting in slow loading for the user.

To combat this, a CDN uses a global network of edge servers (often called ‘points of presence’ or PoPs) to distribute a cached version of popular content, sourced directly from the origin server. This offers users an alternative server to connect to that is much closer to their physical location, allowing for more rapid content delivery. This method of using an edge server as an intermediary from the origin server is known as a reverse-proxy. The edge server deals with the user’s request on behalf of the origin server to process the request quicker, while also evenly distributing the general server load generated by user traffic.

The Benefits of Using a CDN

Speed

One of the biggest assets a CDN can provide for a website to improve the overall user experience is speed. Over time, online user standards have increased when it comes to website speed expectations. High latency, slow loading time and unresponsive page speed can lead to an increase in bounce rates, un-engaged customers and if your business is eCommerce focused, a drop in profits. This rising demand for delivering a rapid user experience and providing an engaging yet functional platform can be a deciding factor in determining the success of a website. By using a CDN, the user’s geographical location can be taken in to account, allowing them to access a cached version of the website on an edge server that is closest to them i.e. the server that will supply them with information in the shortest time. This can reduce website load times significantly and ensure that all customers experience the same responsive website, regardless of location.

Security

From a business standpoint, security and threat mitigation are arguably the most important things to gain from properly using a CDN. A DDoS (Distributed Denial of Service) attack is one of the many methods used by hackers to disrupt web services. This can be catastrophic for a business regardless of the size. It involves an attacker overloading a particular web server with more traffic requests than it can accommodate, often resulting in a reduction of performance or a crash, the latter of which leads to a total drop in service. This traffic is usually falsely generated by the hacker using a network of ‘bots’ or remotely controlled infected computers.

Storing web content on a singular server provides potential hackers with a very obvious focal point to attack, which can pose a serious vulnerability to your system. In addition to this, using only one server guarantees that if the DDoS attack is successful, all services are unavailable to genuine users until the server can be brought back online, often hours later.

When using a CDN however, you have an array of servers at your disposal to deal with user requests on behalf of the origin server. This use of multiple servers helps to prevent any one server being targeted and overwhelmed by a cyber-attack. Moreover, in the event that a singular edge server is focused and taken offline by a DDoS attack, you still have a network of functioning servers to fall back on so that web content can circulate as normal.

These edge servers, when integrated with a WAF (Web application Firewall), can work to differentiate between genuine user traffic and initial attempts at malicious attacks, including bogus traffic sent during a DDoS attack. During a malicious breach, the ability to detect early warning signs is often the best way to mitigate significant damage to a system. Having all traffic routed through WAF protected servers allows them to operate as checkpoints, vetting inbound and outbound traffic, and notifying you of any suspicious activity.

Availability

No matter what business sector your website falls under, ensuring that web content is always accessible, even during times of particularly high traffic, is essential. Specifically in eCommerce, increased rates of online sales can manifest around events like Christmas or Black Friday, resulting in sudden, unpredictable spikes in traffic levels. Without a CDN, this volume of traffic is funnelled directly into the origin server, putting it under significant strain as it tries to process all requests. The typical outcome of this is the server being overwhelmed, leading to a costly drop in services as well as a drop in sales while you try to get the server back online.

When using a CDN however, each request is processed separately by the nearest server to the individual user, effectively dividing the volume of traffic evenly across the network. This prevents any single server being exposed to large amounts of traffic, keeping all services running smoothly and your website accessible at all times. In the scenario that enough traffic is routed to a particular edge server to disrupt the service, there are other available servers that can pick up the slack to keep content delivery consistent. Additionally, because a CDN reduces the strain on the origin server it can help to reduce server maintenance costs by reducing the amount of general strain the server is put under at all times.

Types of CDN

There are two main types of CDN that have different functionality when it comes to distributing online content around the world.

  • Push: A Push CDN requires specific content to be manually pushed to the edge servers for users to access. Whilst this offers a you a lot of control about what web content is delivered and who it can be accessed by, it can also be increasingly time consuming as you regularly update your web content. This is especially true as your user base continues to grow and the demand for content become much more frequent and varied.
  • Pull: A Pull CDN dynamically pulls certain content to the edge servers automatically for users to access. This is usually the web content that is viewed most often. The automatic nature of this CDN is a huge advantage as it requires far less input than its Push counterpart, however it takes a lot of control away from the admin in terms of specific content distribution.

Summary

As online businesses continue grow and user-bases expand internationally, ensuring that you offer a streamlined experience and secure content delivery to all users should be a goal for any online business owner. Additionally, higher demand for e-commerce services as opposed to brick and mortar stores has increased the sheer number of users navigating the web on a daily basis. Properly utilising a CDN is a strong way of ensuring you are prepared to deal with this growing level of traffic at all times and that your content delivery remains consistent by negating the chance for overloaded servers.

Discover The HTTPShield CDN

Looking for a fast, global CDN Network? See how HTTPShield can help.

Find Out More

What is a DDoS attack and how can they be prevented?

With greater volumes of information being stored and transferred online, keeping data protected and inaccessible to malicious users is a rising concern for business owners. In the evolving realm of technology where new, destructive hacking methods are being discovered daily, recognising and preempting threats can often be the key to protecting your business. Although there are many ways for hackers to disrupt online services and steal information, arguably the most devastating method is to orchestrate a DDoS attack.

What Is a DDoS Attack?

As a concept, the idea behind a DDoS, or Distributed Denial of Service attack is exceedingly simple, however the scope of each attack can vary. A successful DDoS consists of flooding a single web server or network with more traffic that it can process, resulting in slow load times or even a complete loss of service for genuine users. Often this traffic can be various things such as false connection requests or automated spam messages.

The main way for a hacker to carry out a DDoS attack is by using something called a ‘botnet’. A ‘botnet’ is a network of hacked computers or ‘bots’ that have been infected with malware and can be controlled remotely. Once a botnet has been established, it can be used to simultaneously flood a victim server with requests, putting it under significant strain, potentially resulting in a crash. Depending on the architecture of the servers and how the infrastructure is configured, DDoS attacks can take hours or even days to recover from.

DDoS Attack Variations

Although all DDoS attacks share a similar concept, there are three primary methods used that target different points in a network. Knowing about these methods and their respective points-of-attack can help with ensuring that your own system remains protected.

  • Volumetric Attacks: The most common type of attack, these DDoS attacks focus on targeting the network-layer of a system. A prime example of a volumetric attack is a DNS Amplification attack which uses DNS response protocols to flood a victim’s network with false responses. To mount an attack like this, a hacker uses a victims IP address to make several DNS requests. However, these requests have been modified so that the DNS response sent to the victim is significantly larger than the initial request. This results in the victim server being drowned in false DNS requests, consuming high volumes of bandwidth until the web server, and all associated services, becomes unresponsive.
  • Protocol Attacks: A protocol attack takes advantage of known server protocols to bring a system down. A prime example of this method is a SYN flood or TCP connection attack which involves manipulating the SYN-ACK protocol sequence that servers and hosts use to communicate. Typically, when a user forms a connection to a server, a SYN (Synchronise) request is sent and the server responds with an SYN-ACK (Acknowledge) response. The user then returns an ACK response and a successful connection is established. This sequence is often referred to as a ‘3-way handshake’. With a SYN flood, a hacker uses spoof IP addresses to send multiple SYN requests to a victim server as normal. However, when the SYN-ACK response is returned, the malicious user intentionally denies sending the final ACK trigger. This causes the server to wait indefinitely until a response is received. If a high volume of these requests are sent and then subsequently denied, the server resources become overwhelmed, preventing it from processing genuine SYN requests from real users.
  • Application Layer Attacks: A DDoS attack method such as a HTTP Flood, that involves sending overwhelming amounts of HTTP requests directly to a web application server. As the server tries to process millions of requests at once, it is quickly saturated and crashes, rendering it unable to deal with genuine user requests. These types of attack are harder to detect and can only be prevented by a WAF, a firewall the operates specifically at the application level to block illegitimate traffic.

Goals Of a DDoS Attack

Unlike more elegant methods of hacking such as SQL injecting or cross-site scripting, where the specific goal is to access unauthorised information, the blunt objective of a DDoS attack is to completely crash a particular site or service, rendering it inaccessible. Although the benefits of this from the hacker’s point of view may not be immediately apparent, there are many ways that this type of brute-force attack can be used maliciously.

When a website falls to a DDoS attack, during the down-time significant financial penalties can occur, from both the loss of business as well as the cost of getting the targeted sever back online. Additionally, customers are far less likely to trust their personal information to a site with a reputation of being vulnerable to attack, often opting to take their business elsewhere. Hacker’s are fully aware of these penalties incurred following a DDoS and will usually try to blackmail the business owner first, usually with monetary demands, before launching an attack. In essence, give in to the demands or your website gets taken down.

Another way in which a DDoS attack can used to a hacker’s advantage is in conjunction with a more calculated attack. In the event of a DDoS attack, it is essential that rapid action is taken by the system administration team to limit damage and reduce the potential downtime of the victim server. Taking advantage of this induced panic, the hacker can then mount a more subtle attack on the newly vulnerable system, using the initial DDoS attack as a diversion. The goal of this secondary breach could be to access sensitive data or install harmful software on the system for later use.

Preparation And Prevention

Like everything in the digital world, methods of DDoS attacks are constantly changing. Although they pose a significant threat to online businesses, with the correct protection and preparation, steps can be taken to negate an attack and detect the early signs of a breach before significant damage can be caused.

The first step should be to ensure all web servers dealing with user traffic are protected by a WAF. A WAF, or Web Application Firewall, works to filter all requests being sent from a user to a web server. This can mitigate a DDoS attack by identifying and blocking any HTTP requests that are sent by an illegitimate source, such as a ‘bot’ computer or a spoof IP. This functionality makes a WAF an essential security asset for any online service. Additionally, it is one of the few methods capable of detecting a DDoS attack aimed directly at the web application itself. Each attempted breach leaves a unique digital fingerprint, the WAF can blacklist any traffic from a suspicious source, making it a flexible security solution capable of adapting to emerging threats.

Using a global CDN (Content Delivery Network) to distribute your web content globally can significantly help mitigate the threat of DDoS attacks. A CDN works by using a network of strategically placed ‘edge-servers’ to transfer content to users on behalf of the origin server. Not only does this provide users with more rapidly delivered content, but it also significantly reduces the strain on the origin server. When used in correspondence with a WAF, these edge servers can work as an early detection system, identifying any illegitimate traffic before has a chance of reaching the origin server. Additionally, because the core methodology behind a DDoS attack is to saturate a singular server with vast amounts of traffic, distributing web content over multiple edge servers prevents any singular server from being overwhelmed by web traffic, legitimate or otherwise. This lends itself to offering a more stable service in general, as well as making it difficult for hackers to identify a single focal point to attack.

Need Urgent Protection Against a DDoS Attack?

HostGuard from HTTPShield provides complete DDoS protection. Prevent downtime with our market-leading DDoS mitigation.

Find Out More