Countering DDoS/Brute-force/Flood attacks with Nemesida WAF | Nemesida WAF

Countering DDoS/Brute-force/Flood attacks with Nemesida WAF

Nemesida WAF allows to automatically deal with brute force, flood and DDoS attacks.

Setup

Nemesida WAF Cabinet allows you to configure Nemesida WAF parameters to protect the web application using the web interface. To activate the functionality, you need to perform the following actions:

1. Make the minimal settings on servers with Nemesida WAF modules installed;

2. Set the condition for automatically blocking the IP address of the request source:

3. Activate the functionality by adding the necessary parameters:

  • The time interval of the segment (window) during which the query analysis is performed;
  • URLs for which the brute force attack detection mechanism will be activated;
  • URLs for which the flood detection mechanism will be activated;
  • The number of requests within the window, when the value of which is reached, the analysis mechanism starts.

When filling in fields that require entering an IP/URL address or a virtual host, each new entry is added separately.

Due to the specifics of attacks, it takes some time to identify them and block the source of requests, and if Nemesida AI MLC does not show the desired result, and the attack is already happening, the administrator can independently identify signs of an attack using information from the Nemesida WAF Cabinet, and on their basis block attacks using extended blocking rules functionality.

When creating blocking rules (for the period of the attack), we recommend paying attention to the following signs:

  • requests coming from countries that are popular for such attacks (for example: Thailand, India, China, Indonesia, Vietnam, etc.), but from which legitimate user requests are not expected;
  • signs of illegitimate requests: suspicious User-Agent, presence/absence of a certain value Cookie, etc.

Examples of rules

Blocking by country

The compiled rule will block requests that come from countries from which appeals are not expected to the site example.com:

Blocking by User-Agent

The compiled rule will block requests that arrive with a suspicious value of the User-Agent header:

Blocking by X-Forwarder-For

The X-Forwarder-For header is added to requests if a proxy server is used when accessing the web application. The compiled rule will block requests coming to the URL /login.php of the site example.com, if X-Forwarder-For is present in the headers: