Help Center/ Web Application Firewall/ User Guide (Kuala Lumpur Region)/ Policies/ Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration
Updated on 2024-03-14 GMT+08:00

Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration

If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect.

Known attack source rules can be used by basic web protection, precise protection, IP address blacklist, and IP address whitelist rules. You can use known attack source rules in basic web protection, precise protection, and IP blacklist or whitelist rules as long as you set Protective Action to Block for these rules.

Prerequisites

You have added your website to a policy.

Constraints

  • For a known attack source rule to take effect, it must be enabled when you configure basic web protection, precise protection, blacklist, or whitelist protection rules.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
  • Before adding a known attack source rule for malicious requests blocked by Cookie or Params, a traffic identifier must be configured for the corresponding domain name. For more details, see Configuring a Traffic Identifier for a Known Attack Source.

Specification Limitations

  • You can configure up to six blocking types. Each type can have one known attack source rule configured.
  • The maximum time an IP address can be blocked for is 30 minutes.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Security > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Policies.
  5. Click the name of the target policy to go to the protection configuration page.
  6. In the Known Attack Source configuration area, change Status if needed and click Customize Rule to go to the Known Attack Source page.
  7. In the upper left corner above the known attack source rules, click Add Known Attack Source Rule.
  8. In the displayed dialog box, specify the parameters by referring to Table 1.

    Table 1 Known attack source parameters

    Parameter

    Description

    Example Value

    Blocking Type

    Specifies the blocking type. The options are:

    • Long-term IP address blocking
    • Short-term IP address blocking
    • Long-term Cookie blocking
    • Short-term Cookie blocking
    • Long-term Params blocking
    • Short-term Params blocking

    Long-term IP address blocking

    Blocking Duration (s)

    The blocking duration must be an integer and range from:

    • (300, 1800] for long-term blocking
    • (0, 300] for short-term blocking

    500

    Rule Description

    A brief description of the rule. This parameter is optional.

    None

  9. Click Confirm. You can then view the added known attack source rule in the list.

Related Operations

  • To modify a rule, click Modify in row containing the rule.
  • To delete a rule, click Delete in the row containing the rule.