Cookie-based CC Attack Protection
In some cases, it may be difficult for WAF to obtain real IP addresses of website visitors. For example, if a website uses proxies that do not use the X-Forwarded-For HTTP header field, WAF is unable to obtain the real access IP addresses. In this situation, the cookie field should be configured to identify visitors and All WAF instances should be enabled for precise user-based rate limiting.
Use Cases
Attackers may control several hosts and disguise as normal visitors to continuously send HTTP POST requests to website www.example.com through the same IP address or many different IP addresses. As a result, the website may respond slowly or even fails to respond to normal requests as the attackers exhausted website resources like connections and bandwidth.
Protective Measures
- Based on the access statistics, check whether a large number of requests are sent from a specific IP address. If yes, it is likely that the website is hit by CC attacks.
- Log in to the management console and route website traffic to WAF.
- Cloud mode: Creating a Domain Name
- Dedicated mode: Step 1: Add a Website to WAF (Dedicated Mode)
- In the Policy column of the row containing the target domain name, click the number of enabled protection rules. On the displayed Policies page, keep the Status toggle on () for CC Attack Protection.
- Add a CC attack protection rule. Set Rate Limit Mode to Per user and enter the user identifier, which is the variable in the cookie field. To identify visitors more effectively, use sessionid or token.
With a CC attack protection rule, you can configure Protective Action to Block and specify a block duration. Then, once an attack is blocked, the attacker will be blocked until the block duration expires. These settings are recommended if your applications have high security requirements.
- Rate Limit Mode: Select Per user to distinguish a single web visitor based on cookies.
- User Identifier: To identify visitors more effectively, use sessionid or token.
- Rate Limit: Number of requests allowed from a web visitor in the rate limiting period. The visitor's access request is denied if the limit is reached.
- Protective Action: Select Block. Then specify Block Duration. Once an attack is blocked, the attacker will be blocked until the block duration expires. These settings are recommended if your applications have high security requirements.
- Verification code: A verification code is required if your website visitor's requests reaches Rate Limit you configured. WAF allows requests that trigger the rule as long as the website visitors complete the required verification.
- Block: Requests are blocked if the number of requests exceeds the configured rate limit.
- Log only: Requests are logged only but not blocked if the number of requests exceeds the configured rate limit.
- Block Page: Select Default settings or Custom.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot