How to know what text transformation I need

Question

Currently we are facing a DDoS attack on our application every 3-4 days. We have configured a WAF rate limiting rule that seems to work correctly against our load testing tool but doesnt seem to block when the actual DDoS attack happens. The only thing that I suspect could be going wrong is missing some critical text transformation parameter.

How does one get to know which text transformation to apply from, say hex decode, json decode, url  decode, md5 etc and in what order? Tried enabling WAF logs for a bit but was unsure from looking at the json logs why the rule was not working and how to get it to work.

It would be great if any of you guys can help in this. 
Thank you.

Answer

Hi THere

When you analyze the WAF logs , you have to identify the Encoding Schemes. Based on the patterns you observe in the logs, try to identify the encoding schemes used in the malicious requests. Common encoding schemes include:
   - URL encoding (e.g., `%20` for space)
   - Hexadecimal encoding (e.g., `0x20` for space)
   - Base64 encoding
   - JSON encoding
   - HTML entity encoding (e.g., `&#x20;` for space)

Here's a common order for applying text transformations:
   1. Decode HTML entity encoding (if present)
   2. Decode URL encoding
   3. Decode Base64 encoding (if present)
   4. Decode Hex encoding (if present)
   5. Normalize JSON bodies (if present)

For example, if you notice that the malicious requests use URL encoding and Hex encoding, you can apply the `URLDecode` and `HexDecode` transformations in that order.

Are you using the AWS Managed rules for WAF?  These rules are maintained by AWS and can provide protection against common attack patterns, including DDoS attacks.

How to know what text transformation I need

Relevant content