We built our bot to automatically avoid detection of any static WAF configuration. We randomly cycled through user agent strings, distributed the attack across 5-600 nodes, rapidly rotated proxy nodes in short bursts and maintained rate limits below levels able to use controlled without impacting real users.
K-bot detection with WAF: 0-5%
IP reputation ability: LOW
False positive risk: HIGH
Basically, WAF’s are not capable of defending these attacks. A WAF is a static configuration that is looking for known bad behaviour. Our ‘payload’ was benign: a username/password and our tactics evaded any form of network / request analysis. Any attempt to control this attack with a WAF would result in an unacceptably high number of false positives – denying real users access to their account.