Help Center> Web Application Firewall> Best Practices> Defending Against Challenge Collapsar (CC) Attacks> Limiting Accesses Through IP Address-based Rate Limiting
Updated on 2024-06-06 GMT+08:00
View PDF

Limiting Accesses Through IP Address-based Rate Limiting

If no proxy is used between WAF and web visitors, limiting source IP addresses is an effective way to detect attacks. IP address-based rate limiting policies are recommended.

Use Cases

Attackers use several hosts to continuously send HTTP POST requests to website www.example.com. Those malicious requests will use up website resources, such as the website connections and bandwidth. As a result, the website fails to respond to normal requests and its competitiveness decreases sharply.

Protective Measures

  1. Based on the access statistics, check whether a large number of requests were sent from a specific IP address. If yes, it is likely that the website was hit by CC attacks.
  2. Log in to the management console and route website traffic to WAF. For more details, see Adding a Domain Name to WAF.
  3. In the Policy column of the row containing the target domain name, click the number of enabled protection rules. On the displayed Policies page, keep the Status toggle on () for CC Attack Protection.
    Figure 1 CC Attack Protection configuration area
  4. Then, add a CC attack protection rule to limit the rate of request traffic destined for the domain name. Set Rate Limit Mode to Per IP address, Rate Limit based on your service features, and Protective Action to Verification code to prevent blocking legitimate users. Figure 2 shows the settings.
    Figure 2 Per IP address
    • Rate Limit Mode: Select Source and then Per IP address to distinguish a single web visitor based on IP addresses.
    • Rate Limit: Number of requests allowed from a website visitor in the rate limiting period. The visitor's access request is denied if the limit is reached.
    • All WAF instances: Requests to on one or more WAF instances will be counted together according to the rate limit mode you select. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule. To enable user-based rate limiting, Per user or Other (Referer must be configured) instead of Per IP address must be selected for Rate Limit Mode. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, All WAF instances must be enabled for triggering the rule precisely.
    • Protective Action: To prevent legitimate requests from being blocked, select Verification code.

      Verification code: A verification code is required if your website visitor's requests reaches Rate Limit you configured. WAF allows requests that trigger the rule as long as the website visitors complete the required verification.

      If the number of access requests exceeds the configured rate limit, the visitors are required to enter a verification code to continue the access.

Go to the Events page and view details about attack events.
Figure 3 Querying CC attack event logs