It also suffers from the same challenges. Sound familiar? It should, it's the same rules-based approach that SpamAssassin used. When a new web request arrives, it is run through the ModSecurity engine, each hit increments a score, and then the request is considered a threat if the score exceeds a certain threshold. At a simplistic level, ModSecurity has a list of things that are likely to appear in different types of web-based attacks, each with a score. Most commercial WAFs are based around the same fundamental design. Traditional WAFsĪ decade after the first MIT Spam Conference, the archetype of the traditional WAF is an open source project known as ModSecurity. More on that in a second, but first a bit about the state of traditional WAFs today. The MIT Anti-Spam Conference was also where I first met John Graham-Cumming, who now works on CloudFlare's team and was the principal architect behind our WAF update. I attended the MIT Anti-Spam Conference for several years and, in 2005, Paul invited me to give a talk on Project Honey Pot which, in many ways, was the open source project that served as the initial inspiration for CloudFlare. Paul turned out to be right and whatever email program you're using today it is almost guaranteed that a heuristic engine is making the decision on what ends up in your spam folder. From that conference, many of the companies that would go on to largely solve the email spam problem (at least from the perspective of end users) would emerge. In 2003, after an overwhelming response to his essay, Paul organized the first MIT Anti-Spam Conference. Specifically, he outlined a Bayesian statistics-based approach where spam filters could be self-learning based on a statistical calculation of "normal" adjusted for an individual user's feedback marking messages as "spam" and "not spam." Instead, Paul argued anti-spam systems should be based on heuristics. In 2002, before he started Y Combinator, Paul Graham wrote an influential essay called " A Plan for Spam." The essay suggested that the rules-based approach for email filtering was headed down the wrong path. Since the rules based approach to SpamAssassin was brittle, it was easy for attackers to get around the rules. Remember spam messages that spelled "viagra" like " It turns out that there are 1,300,925,111,156,286,160,896 different ways you can spell the word "viagra". That meant it was easy for them to craft messages that could bypass the filters. Second, the bad people had access to the same standard rule sets as the good people. For instance, while "viagra" may have been an indication of spam in many cases, if you were setting up SpamAssassin for the Pfizer corporation (which manufactures the drug) then "viagra" may actually have been an indication of non-spamminess. First, it was very difficult to configure because every organization's needs were different. This rules-based approach had at least two major flaws. When a new message arrived, it was run through the engine, each hit incremented the score, and a message was considered "spam" if the score exceeded a certain threshold. At a simplistic level, it had a list of things that were likely to appear in spam messages (e.g., the word " viagra"), each with a score. SpamAssassin was a rules-based email filter engine. The state of the art technology in 1998 for battling spam was an open source project called SpamAssassin. At the time, I was interested in the emerging problem of email spam. I started working in the Internet security space in 1998. I'll explain below, but first some history. Seemingly paradoxically, all of the following are correct: the criticisms weren't wrong and CloudFlare's original WAF was working as designed. That contrasted with the real world experience of users who saw our WAF virtually eliminate actual web threats. Previously, CloudFlare's WAF has received criticism from people who have tested it and found that it didn't behave as traditional WAFs are expected to. We just rolled out an update to CloudFlare's Web Application Firewall (WAF).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |