Case Study: About Shellshock, Traditional WAF Approach and Fish “Shoal Protection”

Share Article

The recent Shellshock vulnerability now makes it evident that relying only on typical “dictionary based” WAFs is both dangerous and ineffective when it comes to websites security. Fireblade proposes a behavioral based approach as a more capable option.

Indeed, this is the classic definition of a Zero-Day Attack and when a threat like Shellshock pops up, it changes the dynamics of the entire web defense game

As was first published on Fireblade's blog:

After the announcement of the recent Shellshock (CVE-2014-6271 and CVE-2014-7169) vulnerability, it becomes apparent again how fragile and dangerous a typical “dictionary based” WAF can be when it comes to websites security.

Besides the fact that dictionary based web application firewalls (WAF) need to be updated regularly to address new threat patterns through known attacks such as SQL Injections and XSS attacks, the main cause for concern is when a completely new attack vector is discovered.

Obviously, until this vector is discovered, there is no active research assigned to inspect different angles of potential attack payloads. Such research and inspection is done only on known attack vectors, where research teams try to foresee new patterns or draw logical conclusions about new patterns through hacking tool updates or competitions.

Indeed, this is the classic definition of a Zero-Day Attack and when a threat like Shellshock pops up, it changes the dynamics of the entire web defense game. First, companies that rely on traditional WAFs are practically defenseless the entire time before vulnerabilities are publicly recognized since the technology relies heavily on known and preexisting threats. It is only after vulnerabilities are discovered and publicized that traditional WAF service providers will update new patterns to the firewall dictionary, add and update new WAF rules and distribute them accordingly. This is indeed what companies like Cloudflare and Akamai did. However, usually that will happen only after a significant number of exposed websites and businesses get hacked, penetrated and may have already suffered losses.

Upon deeper assessment and consideration, such a protection concept is also being used in nature by defenseless fishes, in what is known as “Shoal Protection”. For example, each fish in the shoal benefits from a phenomenon known as the ”Numerical Dilution Effect”, which suggests that simply being part of a group reduces the chances of being killed. In a shoal of one hundred fish, each individual has only a one-in-one-hundred chance of being killed during an attack. And so, when unfortunate fish on the outskirts of the shoal get eaten by a lucky predator, the whole group adapts and changes its course.

Relating that concept to the world of Internet Security, those companies that have automatic updates are provided with a reasonable defense to the upcoming surge of attacks that will happen when vulnerabilities are exposed. However, the biggest issue is really the fact that there is little knowledge about possible attack variations. Hence, the remedy provided by WAF directory updates are trivial and are rapidly becoming less effective. Therefore, in cases where there is a lack of experience and pattern history, the probability of malicious attacks breaking defenses is relatively high, and will remain so until the proper knowledge is acquired and implemented. As mentioned, such knowledge is usually being deduced from the unfortunate experience of some companies’ websites, where attacks already succeeded. For those, classic WAF updates will probably come too little, too late; similarly to those poor fishes who become prey within their shoal.

Behavioral Security

When additional behavioral properties are applied to WAF defenses, such as Fireblade’s innovative behavioral technology for website security, businesses are presented with more positive prospects for safety and mitigating attacks. Even with the Shellshock attack, a hacker will be required to explore many weak points like CGI’s that incorporate information coming from requests (like certain headers) into bash scripts, in a way that can trigger a code execution.

Indeed, this can also be done manually, but a hacker will want to test that on multiple CGIs and multiple domains, or to mount it on compromised servers in order to execute the attack. The hacker will probably be required to use automation in the hacking attempt which will certainly display predictable malicious behavior. Therefore, being equipped with Fireblade’s anti-automation defense, which is based on spotting behavioral anomalies, companies can be confident that it will block the automated process long before it can fully be executed, and detect system weaknesses for new individual attack vectors.

Shellshock treatment by Fireblade

Fireblade monitors both the web security industry as well as clients’ systems in real-time; and immediately after the Shellshock vulnerability was discovered and made public all systems were examined to determine their capacity to handle early exploit attempts. Unlike many other web security companies, it was pleasing to discover, post factum, that Fireblade’s multi-layered firewall had indeed identified and blocked numerous automated bot attempts at exploiting the Shellshock vulnerability. This was further proof that the innovative combination of rule-based, reputational and behavioral mitigation along with powerful web application firewalls (WAF) is a winning strategy and technique for protecting customers’ valuable assets against Zero Day Attacks.

As was first published on Fireblade's blog:


About Fireblade:

Fireblade empowers websites with uncompromising Security, Speed, Monitoring and Availability capabilities, in one cost-effective solution with its cloud based SaaS. The company was co-founded in 2009 by Shay Rapaport and Erez Azaria in response to the growing website security threats and malicious bot traffic. Fireblade protects billions of page-hits each month for a fast growing client-base, which includes some of the largest and busiest websites. Fireblade is privately funded, with its headquarters in Israel. More information can be found at

Media Contact:

Eran Tsur
+972 3 729 3100

Share article on socal media or email:

View article via:

Pdf Print

Contact Author

Eran Tsur
+972 37293100
Email >
since: 01/2014
Follow >

Visit website