Help Center/ Cloud Firewall/ User Guide/ Attack Defense/ Blocking Network Attacks
Updated on 2024-11-04 GMT+08:00

Blocking Network Attacks

CFW provides attack defense to help you detect common network attacks.

Adjusting the IPS Protection Mode to Block Network Attacks

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  6. Select a proper protection mode.

    • Observe: Attacks are detected and recorded in logs but are not intercepted.
    • Intercept: Attacks and abnormal IP address access are automatically intercepted.
      • Intercept mode - loose: The protection granularity is coarse. In this mode, only attacks with high threat and high certainty are blocked.
      • Intercept mode - moderate: The protection granularity is medium. This mode meets protection requirements in most scenarios.
      • Intercept mode - strict: The protection granularity is fine-grained, and all attack requests are intercepted.
    • You are advised to use the observe mode for a period of time before using the intercept mode. For details about how to view attack event logs, see Attack Event Logs.
    • If packets are incorrectly blocked by a defense rule, you can modify the action of the rule in the basic defense rule library. For details, see IPS Rule Management.

Enabling Sensitive Directory Scan Defense

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  6. Click Advanced. In the Sensitive Directory Scan Defense area, click to enable protection.

    • Action:
      • Observe: If the firewall detects a sensitive directory scanning attack, it only records the attack in Attack Event Logs.
      • Block session: If the firewall detects a sensitive directory scan attack, it blocks the current session.
      • Block IP: If CFW detects a sensitive directory scan attack, it blocks the attack IP address for a period of time.
    • Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s.
    • Threshold: CFW performs the specified action if the scan frequency of a sensitive directory reaches this threshold.

Enabling Reverse Shell Defense

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  6. Click Advanced. In the Reverse Shell Defense module, click to enable defense.

    • Action:
      • Observe: If the firewall detects a reverse shell attack, it only records the attack in Attack Event Logs.
      • Block session: If the firewall detects a reverse shell attack, it blocks the current session.
      • Block IP: If CFW detects a reverse shell attack, it blocks the attack IP address for a period of time.
    • Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s.
    • Mode:
      • Conservative: coarse-grained protection. If a single session is attacked for four times, observation or interception is triggered. It ensures that no false positives are reported.
      • Sensitive: fine-grained protection. If a single session is attacked for two times, observation or interception is triggered. It ensures that attacks can be detected and handled.

Follow-up Operations

For details about the protection overview, see Viewing Attack Defense Information on the Dashboard. For details about logs, see Attack Event Logs.