{"id":3909,"date":"2021-10-01T11:25:15","date_gmt":"2021-10-01T16:25:15","guid":{"rendered":"https:\/\/www.knownhost.com\/kb\/?p=3909"},"modified":"2022-01-28T06:34:02","modified_gmt":"2022-01-28T12:34:02","slug":"what-is-a-website-application-firewall","status":"publish","type":"post","link":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/","title":{"rendered":"What is a Website Application Firewall?"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 ez-toc-wrap-right counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #212121;color:#212121\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #212121;color:#212121\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#what_is_an_website_application_firewall\" >What is an Website Application Firewall?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#what_is_an_application_layer_ddos_attack\" >What is an Application Layer DDoS attack?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#common_layer_7_attacks\" >Common Layer 7 Attacks<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#1_general_http_floods\" >1. General HTTP Floods:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#2_randomized_http_floods\" >2. Randomized HTTP Floods:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#3_cache-bypasscache-busting_http_floods\" >3. Cache-bypass(cache-busting) HTTP Floods:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#4_wordpress_xml-rpc_floods\" >4. WordPress XML-RPC Floods:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#5_slowloris_attacks\" >5. Slowloris Attacks<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#protecting_against_layer_7_attacks\" >Protecting against Layer 7 Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n\n<p>There are many different server environments out there that experience disruptions due to malicious attacks of varying natures. Above all, each of these applications can be susceptible to incidents such as &#8216;Layer 7&#8217; or &#8216;Application Layer DDoS&#8217; attacks. This is performed by attempting to saturate network or server resources with traffic floods. A WAF (website application Firewall) can help protect against these incidents.<\/p>\n\n\n\n<p>In this article, we want to go over the different methods you can use to protect your website against such incidents and by providing brief explanations as to what the types of attacks are.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"what_is_an_website_application_firewall\"><\/span>What is an Website Application Firewall?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>A website application firewall creates a shield between the web application and the world wide web. It filters  and monitors HTTP traffic from all incoming requests towards that application. Filtering out things such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Bad traffic (such as bots, spam traffic, etc)<\/li><li>File inclusions<\/li><li>Blacklisted IP&#8217;s<\/li><li>Malicious injections<\/li><li>SQL Injections<\/li><\/ul>\n\n\n\n<p>By having this in front of your application, you better protect your application from malicious actors.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"what_is_an_application_layer_ddos_attack\"><\/span>What is an Application Layer DDoS attack?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The reason that these attacks are called Application layer attacks or layer 7 (L7) is due to method used to attack. Whereas your typical DDoS attack may hit the network layer with things such as volumetric floods, application level attacks focus on depriving the server of its resources to bring it down.  This is usually handled through methods such as HTTP Floods. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"common_layer_7_attacks\"><\/span>Common Layer 7 Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The usual application-layer DDoS attack that you often see is <strong>HTTP Flooding<\/strong>. This is done by attacking the webserver directly. There are a few different types.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_general_http_floods\"><\/span>1. General HTTP Floods:<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>In this type of attack, the malicious actor sends HTTP Requests (GET\/PUT) that the webserver would believe to be from a real user of your web application. Attacks of these type are easy to spot as they usually have the same range of IP Addressers, user agents or referrals. These are used in tandem by flooding a specific resource repeatedly until the server stops responding.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"\n170.249.xxx.xxx - - &#91;01\/Oct\/2021:10:59:40 -0400] \"GET \/ HTTP\/1.1\" 200 890 \"-\" \"h2load nghttp2\/1.43.0\"<\/code><\/pre>\n\n\n\n<p>As you can see in the above example. The goal is to just simply overload the server with requests. This sort of attack could be easily mitigated by a website application firewall monitoring as it would just block the offending IP triggering its ruleset.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_randomized_http_floods\"><\/span>2. Randomized HTTP Floods:<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Similar to the general HTTP Flood. These floods only differ in the manner that they are used. Randomized IP addresses, user agents, target URLS, etc &#8212; they perform the same GET\/PUT requests placing strain on the server. These attacks are likely to be botnet controlled devices that have been maliciously infected with malware.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>   2000 170.249.xxx.100 \"GET \/\n   1811 170.249.xxx.164 \"GET \/7\n   1770 170.249.xxx.100 \"GET \/1\n   1748 170.249.xxx.67 \"GET \/6\n   1025 170.249.xxx.16 \"GET \/3\n    906 170.249.xxx.226 \"GET \/4\n    874 170.249.xxx.129 \"GET \/2\n    645 170.249.xxx.99 \"GET \/8\n    458 170.249.xxx.179 \"GET \/5<\/code><\/pre>\n\n\n\n<p>In the above example, you can see the different IP addresses hitting various paths numerous times &#8212; in this instance, they all occurred in over a few minutes which easily overwhelmed the server. This makes mitigating harder if the malicious actor has a wide-range of IP&#8217;s at their disposal.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_cache-bypasscache-busting_http_floods\"><\/span>3. Cache-bypass(cache-busting) HTTP Floods:<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>This is probably one of the smartest types of HTTP Floods out there. This method of flooding is used against websites that have caching, usually CDN (content delivery network). This method uses variations in query strings to circumvent the caching being provided. As a result, instead of the server returning cached results the CDN or caching service must contact the origin server for every search requests. As these get requested, you begin to see the original server strain under the requests. <\/p>\n\n\n\n<p>These requests can use any variation of key characters in the query or they can focus on dictionary based words.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>xxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:07 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=aaaaaa\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"\nxxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:08 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=adfaf3\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"\nxxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:09 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=4tfadefa\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"\nxxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:10 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=34tfdefa\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"\nxxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:11 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=34tfdafas\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"\nxxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:11 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=fg6wy5a\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"\nxxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:11 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=dafasdef4\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"\nxxx.xxx.xxx.xx - - &#91;01\/Oct\/2021:12:11:12 -0400] \"GET \/d\/_media\/wiki:dokuwiki.svg HTTP\/1.1\" 200 6709 \"https:\/\/redacted.com\/d\/apache?q=daf4fase3\" \"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/94.0.4606.54 Safari\/537.36\"<\/code><\/pre>\n\n\n\n<p>As you can see in the above example; each request made is a different query. If this website was behind a CDN then this would force a retrieval against the origin server. Hundreds of such requests in a short period of time would place strain against the server.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_wordpress_xml-rpc_floods\"><\/span>4. WordPress XML-RPC Floods:<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>As of 2021, WordPress powers around 39% of the internet. As this number continues to grow, it makes sense that we&#8217;ll see more of these as users begin making use of WordPress.  This attack takes advantage of WordPress by utilizing pingbacks from other websites. By abusing the pingback feature, they can force other WordPress websites to attack each other in order to verify the existence of the link used to pingback. <\/p>\n\n\n\n<p>This is easily preventable by disabling pingback requests.<\/p>\n\n\n\n<p>Read more about this in detail here:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.knownhost.com\/kb\/how-are-wordpress-pingbacks-exploited\/\">How are WordPress Pingbacks Exploited?<\/a><\/li><li><a href=\"https:\/\/www.knownhost.com\/kb\/how-to-enable-disable-sending-pingbacks\/\">How to Enable\/Disable Sending Pingbacks?<\/a><\/li><\/ul>\n\n\n\n<p>This is identifiable by the following behavior:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>52.28.2.139 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.0.1; http:\/\/www.muchohogar.com; verifying pingback from 185.103.252.170\"\n177.153.22.251 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5.1; http:\/\/detox.suavidamaisfeliz.com; verifying pingback from 185.103.252.170\"\n119.9.131.80 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5; http:\/\/ruedeseine.com; verifying pingback from 185.103.252.170\"\n130.185.250.98 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.4.2; http:\/\/devoclips.com; verifying pingback from 185.103.252.170\"\n149.210.165.225 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5.1; http:\/\/sng-line.com; verifying pingback from 149.210.165.225\"\n84.21.137.236 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.3.1; http:\/\/www.web-promote.com; verifying pingback from 185.103.252.170\"\n104.196.107.216 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.4.2; http:\/\/homesophy.com; verifying pingback from 185.103.252.170\"\n89.225.228.230 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5.1; http:\/\/89.225.228.230; verifying pingback from 185.103.252.170\"\n98.129.41.189 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.3; http:\/\/www.sscriticalcommunication.com; verifying pingback from 5.154.191.67\"\n130.211.134.65 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5.1; http:\/\/130.211.134.65; verifying pingback from 185.103.252.170\"\n104.130.159.101 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5; http:\/\/www.vmcfortmill.com; verifying pingback from 185.103.252.170\"\n59.124.159.107 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5.1; http:\/\/myhome123.tw; verifying pingback from 185.103.252.170\"\n198.245.57.157 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.5.1; http:\/\/wpadmin.4mobile.cc; verifying pingback from 185.103.252.170\"\n136.243.152.43 - &#91;-] - &#91;06\/May\/2016:14:14:12 +0800] redacted.com \"GET \/ HTTP\/1.0\" 200 162 \"-\" \"WordPress\/4.2.4; https:\/\/www.leginda.de; verifying pingback from 185.103.252.170\"<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_slowloris_attacks\"><\/span>5. Slowloris Attacks<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Although not seen as often as the other layer 7 attacks, Slowloris style attacks are the opposite of what you&#8217;d think a DDoS would be. Slowloris attacks do not overload the server with a vast amount of data. Instead, these attacks are performed by keeping connections open to deliver their payloads over a period of time. Doing this in allows the webserver or services connection pools to be exhausted as it waits to receive the entire request. This results in the server from being able to provide connections to other legitimate users. <\/p>\n\n\n\n<p>Slow Loris is typically seen as a massive amount of 408&#8217;s against the webserver<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>27.67.182.32 - - &#91;11\/Sep\/2021:00:00:22 -0300] \"-\" 408 - \"-\" \"-\"\n152.156.222.31 - - &#91;11\/Sep\/2021:00:02:01 -0300] \"-\" 408 - \"-\" \"-\"\n152.156.222.31 - - &#91;11\/Sep\/2021:00:02:01 -0300] \"-\" 408 - \"-\" \"-\"\n190.239.72.229 - - &#91;11\/Sep\/2021:00:03:41 -0300] \"-\" 408 - \"-\" \"-\"\n27.55.90.48 - - &#91;11\/Sep\/2021:00:06:07 -0300] \"-\" 408 - \"-\" \"-\"\n103.25.76.25 - - &#91;11\/Sep\/2021:00:08:39 -0300] \"-\" 408 - \"-\" \"-\"\n201.138.132.156 - - &#91;11\/Sep\/2021:00:15:46 -0300] \"-\" 408 - \"-\" \"-\"\n190.56.50.36 - - &#91;11\/Sep\/2021:00:20:46 -0300] \"-\" 408 - \"-\" \"-\"\n190.56.50.36 - - &#91;11\/Sep\/2021:00:20:46 -0300] \"-\" 408 - \"-\" \"-\"\n186.48.100.11 - - &#91;11\/Sep\/2021:00:31:39 -0300] \"-\" 408 - \"-\" \"-\"\n45.4.54.212 - - &#91;11\/Sep\/2021:00:31:43 -0300] \"-\" 408 - \"-\" \"-\"\n167.57.108.125 - - &#91;11\/Sep\/2021:00:31:48 -0300] \"-\" 408 - \"-\" \"-\"\n190.114.37.236 - - &#91;11\/Sep\/2021:00:37:19 -0300] \"-\" 408 - \"-\" \"-\"\n186.213.138.35 - - &#91;11\/Sep\/2021:00:44:57 -0300] \"-\" 408 - \"-\" \"-\"\n186.213.138.35 - - &#91;11\/Sep\/2021:00:44:57 -0300] \"-\" 408 - \"-\" \"-\"\n186.213.138.35 - - &#91;11\/Sep\/2021:00:44:57 -0300] \"-\" 408 - \"-\" \"-\"\n186.213.138.35 - - &#91;11\/Sep\/2021:00:44:58 -0300] \"-\" 408 - \"-\" \"-\"<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"protecting_against_layer_7_attacks\"><\/span>Protecting against Layer 7 Attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Now that we&#8217;ve gone over the different common attacks, you&#8217;re probably wonder how you can go about protecting against them and the answer is rather simple. A WAF  will help protect your website against Layer 7. <\/p>\n\n\n\n<p>To be clear, there is no 100% way to completely protect yourself. The only truly protected server is one not connected to the internet. That&#8217;s why the keyword for all of this is <strong>mitigating<\/strong>.<\/p>\n\n\n\n<p>Mitigation reduces the effectiveness of these attacks against your server allowing your website or applications to continue being served.<\/p>\n\n\n\n<p>To be effective at this, you want a managed website application firewall that is proactive about protecting your server from such incidents. While there are many different website application firewalls out there, the one that we recommend and provide managed assistance with is Imunify360.<\/p>\n\n\n\n<p>Imunify360 is eligible for all KnownHost Managed VPS, NVMe, Cloud and Dedicated Servers. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In this article, you learned a little bit about what Application Layer Attacks are, the different types that are most commonly seen and what sort of security is needed to protect yourself against Layer 7 attacks. While there may be other types of protections out there such as <a href=\"https:\/\/www.knownhost.com\/kb\/what-is-mod-security\/\">mod_security<\/a>. A proper WAF is really the way to go.<\/p>\n\n\n\n<p>KnownHost offers 365 days a year, 24 hours a day, all 7 days of the week best in class technical support. A dedicated team is ready to help you should you need our assistance. You\u2019re not using KnownHost for the best web hosting experience? Well, why not? Check with&nbsp;<a href=\"https:\/\/www.knownhost.com\/contact\">our Sales team<\/a>&nbsp;to see what can KnownHost do for you in improving your web hosting experience.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There are many different server environments out there that experience disruptions due to malicious attacks of varying natures. Above all, each of these applications can be susceptible to incidents such as &#8216;Layer 7&#8217; or &#8216;Application Layer DDoS&#8217; attacks. This is performed by attempting to saturate network or server resources with traffic floods. A WAF (website [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[94],"tags":[181,273,141,123,465,466],"class_list":["post-3909","post","type-post","status-publish","format-standard","hentry","category-common-issues","tag-apache","tag-http","tag-imunify360","tag-linux","tag-waf","tag-website-application-firewall"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What is a Website Application Firewall? - KnownHost<\/title>\n<meta name=\"description\" content=\"Looking to protect yourself? Need a website application firewall but you&#039;re unsure? Check here to find out what a website application firewall is.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is a Website Application Firewall? - KnownHost\" \/>\n<meta property=\"og:description\" content=\"Looking to protect yourself? Need a website application firewall but you&#039;re unsure? Check here to find out what a website application firewall is.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/\" \/>\n<meta property=\"og:site_name\" content=\"KnownHost\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-01T16:25:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-01-28T12:34:02+00:00\" \/>\n<meta name=\"author\" content=\"Jonathan K. W.\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jonathan K. W.\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/\"},\"author\":{\"name\":\"Jonathan K. W.\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"headline\":\"What is a Website Application Firewall?\",\"datePublished\":\"2021-10-01T16:25:15+00:00\",\"dateModified\":\"2022-01-28T12:34:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/\"},\"wordCount\":1129,\"keywords\":[\"apache\",\"http\",\"imunify360\",\"linux\",\"waf\",\"website application firewall\"],\"articleSection\":[\"Common Issues\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/\",\"name\":\"What is a Website Application Firewall? - KnownHost\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\"},\"datePublished\":\"2021-10-01T16:25:15+00:00\",\"dateModified\":\"2022-01-28T12:34:02+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\"},\"description\":\"Looking to protect yourself? Need a website application firewall but you're unsure? Check here to find out what a website application firewall is.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/what-is-a-website-application-firewall\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is a Website Application Firewall?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/\",\"name\":\"KnownHost\",\"description\":\"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.knownhost.com\\\/kb\\\/#\\\/schema\\\/person\\\/3db6e20d1f33519cd68fe0ba1230a48b\",\"name\":\"Jonathan K. W.\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g\",\"caption\":\"Jonathan K. W.\"},\"sameAs\":[\"https:\\\/\\\/www.knownhost.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is a Website Application Firewall? - KnownHost","description":"Looking to protect yourself? Need a website application firewall but you're unsure? Check here to find out what a website application firewall is.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/","og_locale":"en_US","og_type":"article","og_title":"What is a Website Application Firewall? - KnownHost","og_description":"Looking to protect yourself? Need a website application firewall but you're unsure? Check here to find out what a website application firewall is.","og_url":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/","og_site_name":"KnownHost","article_published_time":"2021-10-01T16:25:15+00:00","article_modified_time":"2022-01-28T12:34:02+00:00","author":"Jonathan K. W.","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Jonathan K. W.","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#article","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/"},"author":{"name":"Jonathan K. W.","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"headline":"What is a Website Application Firewall?","datePublished":"2021-10-01T16:25:15+00:00","dateModified":"2022-01-28T12:34:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/"},"wordCount":1129,"keywords":["apache","http","imunify360","linux","waf","website application firewall"],"articleSection":["Common Issues"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/","url":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/","name":"What is a Website Application Firewall? - KnownHost","isPartOf":{"@id":"https:\/\/www.knownhost.com\/kb\/#website"},"datePublished":"2021-10-01T16:25:15+00:00","dateModified":"2022-01-28T12:34:02+00:00","author":{"@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b"},"description":"Looking to protect yourself? Need a website application firewall but you're unsure? Check here to find out what a website application firewall is.","breadcrumb":{"@id":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.knownhost.com\/kb\/what-is-a-website-application-firewall\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.knownhost.com\/kb\/"},{"@type":"ListItem","position":2,"name":"What is a Website Application Firewall?"}]},{"@type":"WebSite","@id":"https:\/\/www.knownhost.com\/kb\/#website","url":"https:\/\/www.knownhost.com\/kb\/","name":"KnownHost","description":"KnownHost provides a comprehensive webhosting knowledge base to help answer many of your common webhosting and linux questions.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.knownhost.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.knownhost.com\/kb\/#\/schema\/person\/3db6e20d1f33519cd68fe0ba1230a48b","name":"Jonathan K. W.","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f432b99e6651fe8d1deb57a285bd84e806f1c9ae8b4c6c585d7e3a0b33789ad9?s=96&d=mm&r=g","caption":"Jonathan K. W."},"sameAs":["https:\/\/www.knownhost.com"]}]}},"_links":{"self":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/3909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/comments?post=3909"}],"version-history":[{"count":0,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/posts\/3909\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/media?parent=3909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/categories?post=3909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.knownhost.com\/kb\/wp-json\/wp\/v2\/tags?post=3909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}