Countering DDoS/Brute-force/Flood attacks with Nemesida WAF | Nemesida WAF

Countering DDoS/Brute-force/Flood attacks with Nemesida WAF

Nemesida WAF allows to automatically deal with brute force, flood and DDoS attacks.

Setup

Nemesida WAF Cabinet allows you to configure Nemesida WAF parameters to protect the web application using the web interface. To activate the functionality, you need to perform the following actions:

1. Make the minimal settings on servers with Nemesida WAF modules installed;

2. Set the condition for automatically blocking the IP address of the request source:

3. Activate the functionality by adding the necessary parameters:

  • The time interval of the segment (window) during which the query analysis is performed;
  • URLs for which the brute force attack detection mechanism will be activated;
  • URLs for which the flood detection mechanism will be activated;
  • The number of requests within the window, when the value of which is reached, the analysis mechanism starts.


When filling in fields that require entering an IP/URL address or a virtual host, each new entry is added separately.

When activating the mechanism for detecting brute force and flood attacks, use values without specifying the URL of a specific resource (for example, example.com or example.com/) prohibited in order to ensure the correct operation of the option.

Due to the specifics of the attacks, it takes some time to identify and block the source of requests, and if the attack is already happening, and Nemesida AI MLC has not yet blocked the source of requests, the administrator can independently identify signs of an attack using information from his personal account, and on their basis block attacks using the functionality of drawing up extended blocking rules.

When creating blocking rules (for the period of the attack), we recommend paying attention to the following signs:

  • requests coming from countries that are popular for such attacks (for example: Thailand, India, China, Indonesia, Vietnam, etc.), but from which legitimate user requests are not expected;
  • signs of illegitimate requests: suspicious User-Agent, presence/absence of a certain value Cookie, etc.

Examples of rules

Blocking by country

The compiled rule will block requests that come from countries from which appeals are not expected to the site example.com:

Blocking by User-Agent

The compiled rule will block requests that arrive with a suspicious value of the User-Agent header:

Blocking by X-Forwarder-For header

The X-Forwarder-For header is added to requests if a proxy server is used when accessing the web application. The compiled rule will block requests coming to the URL /login.php of the site example.com, if X-Forwarder-For is present in the headers:

Blocking by missing Cookie header

Cookie is a set of data sent by the web server to the user’s browser. They are necessary to simplify the identification of the user of the web application and are automatically assigned to each user who visits the web application. If authentication is required to access the protected sections of the web application, users are redirected to the authentication page with the Cookie that were assigned to it earlier. During an attack, for example, on an authentication page, attackers can access it directly and, without receiving a Cookie from a web application, try to authenticate by generating appropriate requests. If the approach in which the user can generate requests without receiving a Cookie from the web server is applicable to your web application, then during the analysis you can identify the absence of the Cookie header as a sign of an attack on the authentication page and create an appropriate blocking rule. For example, the following rule will block requests coming to the URL /admin/login.php of the site example.com if there is no Cookie header in the headers: