Limiting Accesses Through Cookie Field Configuration
In some cases, it may be difficult for WAF to obtain real IP addresses of website visitors. For example, if a website uses proxies that do not use the X-Forwarded-For HTTP header field, WAF is unable to obtain the real access IP addresses. In this situation, the cookie field should be configured to identify visitors and All WAF instances should be enabled for precise user-based rate limiting.
Use Cases
Attackers may control several hosts and disguise as normal visitors to continuously send HTTP POST requests to website www.example.com through the same IP address or many different IP addresses. As a result, the website may respond slowly or even fails to respond to normal requests as the attackers exhausted website resources like connections and bandwidth.
Protective Measures
- Based on the access statistics, check whether a large number of requests are sent from a specific IP address. If yes, it is likely that the website was hit by CC attacks.
- Log in to the management console and route website traffic to WAF. For details about how to connect a domain name to WAF, see Adding a Domain Name.
- In the Policy column of the row containing the target domain name, click the number of enabled protection rules. On the displayed Policies page, keep the Status toggle on (
) for CC Attack Protection.
Figure 1 CC Attack Protection configuration area
- Add a CC attack protection rule, as shown in Figure 2.
- Rate Limit Mode: Select Per user to distinguish a single web visitor based on cookies.
- User Identifier: To identify visitors more effectively, use sessionid or token.
- Rate Limit: Number of requests allowed from a web visitor in the rate limiting period. The visitor's access request is denied if the limit is reached.
- Protective Action: Select Block. Then specify Block Duration. Once an attack is blocked, the attacker will be blocked until the block duration expires. These settings are recommended if your applications have high security requirements.
- Block Page: Select Default settings or Custom.
- In the navigation pane on the left, choose Events. You can view details about attack events.
Example: Restricting Malicious Requests in Promotions by Using Cookies and HWWAFSESID
- Scenario 1: To steal extra bonus (such as goods in promotions or downloads), a malicious actor may use the same account to send requests to a website by changing IP addresses or terminals.
Protective measures: Scenario 1: Using Cookies (or User IDs) to Configure a Path-based CC Attack Protection Rule
- Scenario 2: To steal extra bonus (such as goods in promotions or downloads), a malicious actor may use multiple accounts to send requests to a website through the same PC by frequently changing its IP address.
Protective measures: Scenario 2: Using HWWAFSESID to Configure a Path-based CC Attack Protection Rule
Scenario 1: Using Cookies (or User IDs) to Configure a Path-based CC Attack Protection Rule
- Log in to the management console and connect your website to WAF. For details, see Adding a Domain Name to WAF.
- In the Policy column of the row containing the domain name, click the number to go to the Policies page.
- In the CC Attack Protection configuration area, toggle CC Attack Protection on if needed.
Figure 3 CC Attack Protection configuration area
- In the upper left corner of the CC Attack Protection page, click Add Rule.
- Configure a CC attack protection rule using a cookie or user ID to limit traffic to the path. Figure 4 shows an example.
- Rate Limit Mode: Select Source and then Per user.
- User Identifier: Select Cookie and set the cookie key value to the user ID field.
- Trigger: Set Field to Path, and set Logic and Content based on site requirements.
- Other parameters: Set them to meet your service requirements.
- Click Confirm.
Scenario 2: Using HWWAFSESID to Configure a Path-based CC Attack Protection Rule
HWWAFSESID: session ID. WAF inserts HWWAFSESID (session ID) into the cookie of a customer request. WAF uses this field to count client requests. If the number of requests reaches the threshold, the CC attack protection rule will be triggered. Now, let's see how to use this field to configure a CC attack protection rule.
- Log in to the management console and connect your website to WAF. For details, see Adding a Domain Name to WAF.
- In the Policy column of the row containing the domain name, click the number to go to the Policies page.
- In the CC Attack Protection configuration area, toggle CC Attack Protection on (
) if needed.
Figure 5 CC Attack Protection configuration area
- In the upper left corner of the CC Attack Protection page, click Add Rule.
- Configure a CC attack protection rule using HWWAFSESID to limit traffic to the path. For details, see Figure 6.
- Rate Limit Mode: Select Source and then Per user.
- User Identifier: Select Cookie and set it to HWWAFSESID.
- Trigger: Set Field to Path, and set Logic and Content based on site requirements.
- Other parameters: Set them to meet your service requirements.
- Click OK.
Protection Verification
If you have configured a CC attack protection rule for your domain name www.example.com by referring to Protective Measures, take the following steps to verify the protection:
- Clear the browser cache, access http://www.example.com/ that meets the cookie condition, and refresh the page for 10 times within 60 seconds. Normally, WAF blocks the request on the 11th access and returns the custom block page.
- Return to the WAF console. In the navigation pane on the left, click Events. On the displayed page, check event details.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
