Website Firewall (WAF)

Most website hacks come from insecure code being exploited. The attack vector is hidden within the millions of lines of code that make up your website. When a security flaw becomes known, all vulnerable websites can be compromised within a very short time frame.

You need lightning reflexes and robust defenses to prevent hackers from infecting your website. By taking away the methods used to crack your insecure code, the malware author’s attempts become useless. Eliminate all website security vulnerabilities and replace them with a blocking page for anyone who dares to exploit them.

Blocking All Vulnerability Exploits

Whether it is zero-day exploits or ancient security patches, Sucuri makes it impossible to take advantage of vulnerabilities in website code. Their Website Firewall uses a whitelist methodology that renders these flaws useless to attackers. Their expertise is wide ranging, and they dedicate significant resources daily to analyzing the latest trends and innovating new technology.

Sucuri can withstand many vulnerabilities and environments

• Compatible with Webhosting.net
• Any CMS or Custom Setup
• Zero-Day Exploits
• Cross Site Scripting (XSS)
• Remote File Inclusion (RFI)
• Local File Inclusion (LFI)
• SQL Injection Attacks
• Cross Site Request Forgery (CSRF)
• Login Form Bypassing
• Out-Of-Date Software
• Insecure Plugins
• Vulnerable Themes
• Bad GET or POST Methods
• Insecure Direct Object Reference
• Drupalgeddon
• Heartbleed
• Bash Bug / Shellshock
• POODLE
• Malicious HTTP Requests
• Remote Code Execution
• Malformed Cookie Requests

How Sucuri Website Firewall Prevents Exploitation

The Sucuri Website Firewall employs a proprietary virtual hardening and patching technology that allows you to stay ahead of the latest website threats. The technology is built such that it allows the team to respond within minutes of Zero Day events when they occur. Staying true to the core of the company, the Sucuri Website Firewall has been built through years of analysis and significant investments in research of existing and emerging threats. This level of internal commitment allows them to build the best and most effective solution to protect websites from today’s top threats.

Multi-Layer Filtering

To protect our clients against these exploits, Sucuri employs a solution that uses heuristic and signature based techniques. Incoming traffic is sanitized before reaching your website. If there are patterns matching an attack, or if the behavior looks out of place, Sucuri blocks it before sending the good traffic back to you.

Pattern Recognition

Inbound traffic to your site usually matches a standard pattern based on the visitor’s HTTP request headers. A good example is SQL Injection attacks. A successful attack requires an attacker to send certain chunks of data in predictable ways. Like every programming language, SQL must respect certain syntax rules. Sucuri can flag these quite easily by looking for matches such as:

• Does the syntax begin with a quote ( ‘ )?
• If so, does it contain certain keywords, obfuscated or not: SELECT, FROM, LIMIT, etc.?
• If it does, are the last few characters some SQL escaping sequences? (–, /*, #).

There are many other attack scenarios like this for for SQL, and the same applies for cross-site scripting (XSS) and local and remote file inclusion (LFI/RFI).

Virtual Website Patching

In these specific cases, the Sucuri research lab will analyze a particular bug to understand how it works in order to list every single place or context in which it can be used. From there, the Sucuri Website Firewall can draw a clear distinction between the normal traffic going to the faulty component, and malicious requests.

Vulnerable Outdated Software

If existing detection signatures are unable to separate legitimate requests from malicious ones, our heuristic detection and auditing will flag new samples for research. The new signature is quickly analyzed and decoded. In a recent vulnerability that the Sucuri research team discovered and disclosed responsibly, the exploit used a base64 encoded string to send its malicious payload, which is hard to detect as it only contained random alphanumeric characters. To detect it, the Website Firewall was set to review different elements such as the size of the particular parameter:

• Legitimate requests only contained the serialize()’d username/password.
• The length of the request should not normally be more than ~200 characters.
• Malicious requests would use a few thousands characters to bypass the application’s execution flow.
• Requests over 10000 characters are able to get a full Remote Code Execution script working.

How Sucuri Website Firewall Protects Against DDoS / DoS Attacks

To protect against these attacks, Sucuri employs a multi-layer filtering solution and works with top Internet Service Providers (ISP) around the world, to ensure adequate bandwidth is available to respond when there is a need.

See What Happens When Your Site is Being Attacked

Layer 3/4 Attacks

Layer 3 / 4 attacks are often volumetric, they are designed to flood, saturate, your network with so much traffic the only option is failure. This fight is achieved through Sucuri’s ability to handle the incoming throughput. Sucuri achieves this by partnering with top providers around the world (e.g.., Amazon AWS, Google CE and OVH) to provide them with all the bandwidth they need. This provides them hundreds of gigabytes per second of available pipe, allowing them to sustain and mitigate a large subset of volumetric attacks. Because Sucuri does not manage all of their infrastructure, they are able to quickly scale and respond based on needs.

UDP DoS Attacks

Sucuri’s response to DNS Amplification attacks are very similar to Layer 3 / 4 Attacks, but because of their configuration, Sucuri is especially suited for these DoS attack types. None of their reverse proxies are configured to allow anything but HTTP / HTTPS traffic through the end point (your web server). This approach allows them to mitigate attacks based on UDP quickly and efficiently. All UDP attacks are blocked at the edge, meaning they never come close to touching your web server, this greatly reduces the noise large amplification attacks introduce during an attack.

Layer 7 / HTTP floods

Layer 7 attacks are a bit more complex and require a more refined touch when it comes to mitigating. Because Layer 7 attacks often mask themselves with what would otherwise be categorized as legitimate traffic, Sucuri have built technology that allows them to analyze all incoming traffic for anomalies and respond accordingly. Their technology makes use of heuristic and signature based techniques, allowing them to quickly mitigate any incoming Layer 7 DoS attacks.

Website Firewall Advantages for DDoS Protection

• Global, distributed network with 28 points of presence
• Use of anycast for both DNS and HTTP/HTTPS
• Protection from all types of DDoS attacks
• Expertise from protecting over 1 million businesses
• No limit on attack size
• Predictable pricing; pricing not based on attack size
• Uptime guarantee
• Legitimate traffic can still access your content

Prevent Hackers From Breaking Into Your Website

Your website is under constant attack from hackers trying to log into your website? Every website with an admin panel experiences malicious login attempts.

The pace of technology has made it simple to program ways to guess your login and password. Limiting login attempts is not the answer. You need to stop anyone from accessing your admin page if they aren’t supposed to be there.

Blocking All Brute Force Attacks

Using a combination of detection methods and whitelisting, the Sucuri Website Firewall is able to stop brute force attempts in their tracks. Whether using bad bots, scanning tools, or semi-manual methods, you can stop unauthorized login attempts on your critical website access points. Save your website users from having credentials stolen and used for malicious purposes.

Compatible with Webhosting.net
Any CMS or Custom Website
Unlimited Attempt Frequency
Dictionary Attack
Search Attacks
Rainbow Table Attacks
HTTP Basic Authentication
HTTP Digest Authentication
HTML Form Based Authentication
Mask Attacks
Rule-Based Search Attacks
Combinator Attacks
Botnet Attacks
Unauthorized IPs
IP Whitelisting
Bruter
THC Hydra
John the Ripper
Brutus
Ophcrack
And many others