"Bypass is not a solution," Aris said, slamming the incident report on the table. "It's an admission of defeat." Aris spent seventy-two hours reading the FileCatalyst protocol specification —a dense 200-page document. He learned that FileCatalyst had a "WebAgent"—a JavaScript module that allowed transfers to be initiated from a browser using WebSockets over HTTPS. But the real data plane was a proprietary UDP encapsulation.
Whenever Maya tried to enforce the WAF rules to inspect the FileCatalyst traffic, the throughput dropped from 900 Mbps to 12 Mbps. The WAF was trying to reassemble UDP datagrams into coherent HTTP requests, failing, and then throttling the connection to prevent a false positive DDoS. filecatalyst web application firewall
The WAF never saw the data. But it saw everything that mattered. "Bypass is not a solution," Aris said, slamming
A hacker in a simulated breach attempted to inject a malformed UDP packet. The WAF's Phase 3 anomaly detector saw a jitter spike from 0.3ms to 12ms. In 14 milliseconds, the WAF sent the kill command. The FileCatalyst server terminated the session before a single packet of corrupted data reached the S3 bucket. But the real data plane was a proprietary UDP encapsulation