WAF, DDoS & Bot Management
Cloudflare, AWS WAF, Akamai, Imperva - edge security for the public web; filtering attacks before they hit your origin
WAF, DDoS & Bot Management
The internet is hostile. Anything you put on a public IP gets scanned, probed, and attacked within minutes. This subject covers the edge controls that absorb the noise: Web Application Firewalls (WAFs) filter malicious HTTP requests, DDoS protection absorbs floods, bot management distinguishes humans from automated traffic.
These are typically delivered as a layer in front of your application — Cloudflare, AWS WAF + Shield, Akamai, Imperva, Fastly. Building this in-house is rarely the right call: the value is in the threat intelligence and the bandwidth that these providers collectively bring, which a single org can't reproduce.
Why You Want This
| Without edge security | With |
|---|---|
| SQLi attempts hit your app code | Filtered at edge; never reach origin |
| L3/L4 floods saturate your bandwidth | Scrubbed at edge with terabit capacity |
| Credential stuffing burns auth backend | Rate limit + bot detection blocks |
| Vulnerability scanners use your CPU | Pattern-matched, dropped |
| Bots scrape your data 24/7 | Distinguished, throttled or challenged |
| Customer abuse via API | Per-API-key rate limits enforced |
| Origin IP exposed; direct attack possible | Origin hidden; only edge-allowed traffic |
| New CVE in your framework = race to patch | Virtual patching via WAF rule |
The CFO might balk at edge costs. The CFO has not seen the bill from absorbing a 1Tbps attack.
The Players
Edge-integrated (CDN + WAF + DDoS)
| Provider | Strengths |
|---|---|
| Cloudflare | Largest network; bundled product; generous free tier; OSS-friendly |
| Akamai | Enterprise default; deep features; expensive; long-standing |
| AWS CloudFront + WAF + Shield | AWS-native; integrated billing; uneven UX |
| Fastly | Performance focus; powerful VCL; mid-market |
| Google Cloud Armor | GCP-native; integrated with Cloud CDN |
| Imperva | Enterprise WAF + DDoS; legacy; thorough |
| F5 Distributed Cloud (formerly Volterra) | Multi-cloud; modern |
Bot management specialists
| Provider | Specialty |
|---|---|
| PerimeterX (HUMAN) | Sophisticated bot fingerprinting |
| DataDome | Bot mitigation; ML-driven |
| Akamai Bot Manager | Enterprise; integrated with Akamai stack |
| Cloudflare Bot Management | Solid mid-tier; included in Pro plans |
Origin / self-hosted
| Tool | Notes |
|---|---|
| ModSecurity + OWASP CRS | Open-source WAF rules; runs in nginx/Apache |
| Coraza | OSS WAF engine, ModSecurity-compatible |
| NAXSI | Lightweight nginx WAF |
| Wallarm / Signal Sciences (now Fastly NGWAF) | Modern, API-aware |
Most teams: Cloudflare for general edge protection, with self-hosted WAF rules as defense-in-depth at the application gateway. Bigger orgs add a specialist for bot management.
The OWASP Top 10 and WAF
A WAF is most effective at OWASP Top 10 categories that show up in request shape:
| Category | WAF coverage |
|---|---|
| Injection (SQLi, command, NoSQL) | Strong — pattern + behavioral |
| Broken Auth | Limited — rate limit + bot signals help, but logic flaws need code fixes |
| Sensitive Data Exposure | Out of scope mostly |
| XML External Entities | Strong |
| Broken Access Control | Limited — can't read your authorization logic |
| Security Misconfiguration | Limited |
| XSS | Strong — pattern match payloads |
| Insecure Deserialization | Some |
| Components with Known Vulnerabilities | Strong — virtual patching |
| Insufficient Logging | Solves it (logs everything) |
The WAF buys you time. It is not a substitute for secure code; it's a layer that catches known patterns and lets you patch real bugs over weeks instead of hours.
DDoS: The Layers
DDoS attacks come in three layers:
| Layer | Example | Defense |
|---|---|---|
| L3/L4 (network/volumetric) | SYN flood, UDP flood, amplified DNS reflection — 10s of Gbps to Tbps | Provider scrubbing centers (Cloudflare/AWS Shield) |
| L6/L7 (application) | HTTP flood, slow loris, expensive query loop | WAF rate limiting + behavioral analysis |
| Resource exhaustion | Memory leak triggered by malicious input | App-level controls + WAF |
A serious attacker uses all three. A typical defense stack:
[Attacker] ─▶ [Scrubbing center] ─▶ [WAF] ─▶ [Origin]
(L3/L4 + amplifiers) (L7)Volumetric attacks die at the scrubber. Application-layer attacks (slow, sneaky, low volume) need the WAF and good app design.
Bot Traffic: The Three Categories
Not all bots are bad:
| Bot type | Examples | Treatment |
|---|---|---|
| Good bots | Googlebot, Bingbot, Slackbot | Allow, often with verification |
| Neutral bots | RSS readers, monitoring tools, archive crawlers | Allow with rate limits |
| Bad bots | Scrapers, credential-stuffing, click fraud, inventory hoarders | Block, challenge, or feed fake data |
Modern bot management uses:
- Headers + IP reputation (easy bypass)
- Behavioral analysis (mouse moves, key timing, click patterns)
- JavaScript challenges (Cloudflare Turnstile, Google reCAPTCHA Enterprise)
- TLS / HTTP/2 fingerprinting (JA3/JA4 — hard to spoof for naive bots)
- Device intelligence (commercial providers)
The bad bot ecosystem is sophisticated — credential stuffing services rent residential proxies, browser farms run real Chrome. Detection is an arms race.
Rate Limiting Patterns
Most attacks involve volume. Rate limiting is the cheap, effective defense:
| Pattern | Use |
|---|---|
| Per IP | Crude but useful; defeated by botnets |
| Per identity (API key, user ID) | Strong for authenticated APIs |
| Per route | Login endpoints stricter than CDN-cached pages |
| Per geography | Block or throttle high-risk regions |
| Tiered (free vs paid users) | Business-aligned limits |
| Sliding window | Smooth, no edge cases at boundaries |
| Adaptive | Tighten when error rates rise |
Most providers offer rule-based rate limits with custom keys and actions. The art is what to limit and how strict — too tight blocks real users; too loose lets attacks through.
Learning Path
1. Getting Started
Put a site behind Cloudflare; enable WAF managed rules; configure rate limits; test bot mitigation; set up AWS WAF
2. Patterns
Layered defense, custom WAF rules, virtual patching, bot management strategies, API-specific protection, observability
3. Best Practices
Tuning false positives, runbook for active attacks, origin protection, compliance, common pitfalls, scaling
The Cost of Doing Nothing
Concrete numbers:
- Credential stuffing: 10-30% of login traffic on unprotected sites is automated. The auth backend pays.
- Scraping: competitors hoover your prices, content, inventory. Lost revenue is real.
- DDoS extortion: "pay or we attack your site" — happens, regularly.
- Vulnerability scanning: every public service gets scanned within hours of going up. If a CVE drops, scanners try it on you.
- Vulnerability exploitation: window between CVE disclosure and exploit-in-the-wild is hours. WAF rules ship faster than your patch.
Cloudflare Free protects against a remarkable amount. Pro / Business / Enterprise tiers add WAF custom rules, advanced bot management, dedicated capacity.
CDN vs WAF vs DDoS — Overlap
These often come bundled but solve different problems:
| Function | Solves |
|---|---|
| CDN (caching) | Static content delivery; reduces origin load |
| DDoS protection | Absorbs volumetric attacks |
| WAF | Filters malicious HTTP requests |
| Bot management | Distinguishes human traffic |
| API gateway | Auth, rate limit, routing for APIs |
| Origin shield | Single edge point that the origin sees |
A typical edge configuration uses 4-5 of these layers from one provider. Cloudflare and AWS sell them as integrated bundles for this reason.
The WAF that ships with a default config catches a lot but tunes for nothing. Your app has specific routes, specific clients, specific traffic patterns. The first week with a new WAF in log-only mode (alert but don't block) tells you what's noisy and what's signal. Then you turn enforcement on, route by route, ramping up confidence. A WAF tuned for your traffic is much more powerful than a WAF on factory settings.