General information about Web Application Facility Protection (WAF)

WAF (Web Application Firewall) is a class of solutions that secure a web application at the L7 level, protecting a site or application from targeted attacks.

A targeted attack is an attack on your website or application to steal sensitive data, gain access to internal systems, cause reputational damage, or disrupt your application. Targeted attacks are often disguised as normal user traffic.

At Selectel, Web Application Protection (WAF) comes in the form of the WAF Curator service.

Principle of operation

Traffic that has been cleaned by DDoS protection filtering nodes is redirected to the WAF. The WAF analyzes HTTP and HTTPS traffic and applies filtering rules to clean traffic from malicious requests.

WAF works on the basis of machine learning algorithms. There is a mandatory training and monitoring period that lasts about two to three weeks. The length of the training period depends on the volume of incoming traffic. During the training period, WAF analyzes the traffic directed to your application and learns to protect your application specifically. For training purposes, the following are used:

Behavioral Analysis — WAF studies user behavior and learns to recognize abnormal behavior;
Signature analysis — WAF matches traffic to known types of attacks.

In this way, a list of filtering rules is generated and the accuracy of attack blocking is improved. After training is complete, the WAF can start actively blocking attacks.

Limitations

WAF analyzes traffic that has already been cleared from attacks, so the service can only be activated in addition to application-level DDoS protection (L7). For more information about DDoS protection, please refer to the General information about DDoS protection.