Help Center> Web Application Firewall> Best Practices> Defending Against Challenge Collapsar (CC) Attacks> Limiting Accesses Through Cookie Field Configuration
Updated on 2024-06-06 GMT+08:00
View PDF

Limiting Accesses Through Cookie Field Configuration

In some cases, it may be difficult for WAF to obtain real IP addresses of website visitors. For example, if a website uses proxies that do not use the X-Forwarded-For HTTP header field, WAF is unable to obtain the real access IP addresses. In this situation, the cookie field should be configured to identify visitors and All WAF instances should be enabled for precise user-based rate limiting.

Use Cases

Attackers may control several hosts and disguise as normal visitors to continuously send HTTP POST requests to website www.example.com through the same IP address or many different IP addresses. As a result, the website may respond slowly or even fails to respond to normal requests as the attackers exhausted website resources like connections and bandwidth.

Protective Measures

  1. Based on the access statistics, check whether a large number of requests are sent from a specific IP address. If yes, it is likely that the website is hit by CC attacks.
  2. Log in to the management console and route website traffic to WAF. For more details, see Adding a Domain Name to WAF.
  3. In the Policy column of the row containing the target domain name, click the number of enabled protection rules. On the displayed Policies page, keep the Status toggle on () for CC Attack Protection.
    Figure 1 CC Attack Protection configuration area
  4. Add a CC attack protection rule. Set Rate Limit Mode to Per user and enter the user identifier, which is the variable in the cookie field. To identify visitors more effectively, use sessionid or token.

    With a CC attack protection rule, you can configure Protective Action to Block and specify a block duration. Then, once an attack is blocked, the attacker will be blocked until the block duration expires. These settings are recommended if your applications have high security requirements.

    Figure 2 Add CC Attack Protection Rule
    • Rate Limit Mode: Select Source and then Per user to distinguish a single web visitor based on cookies.
    • User Identifier: To identify visitors more effectively, use sessionid or token.
    • Rate Limit: Number of requests allowed from a web visitor in the rate limiting period. The visitor's access request is denied if the limit is reached.
    • All WAF instances: Requests to on one or more WAF instances will be counted together according to the rate limit mode you select. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule. To enable user-based rate limiting, Per user or Other (Referer must be configured) instead of Per IP address must be selected for Rate Limit Mode. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, All WAF instances must be enabled for triggering the rule precisely.
    • Protective Action: Select Block. Then specify Block Duration. Once an attack is blocked, the attacker will be blocked until the block duration expires. These settings are recommended if your applications have high security requirements.
      • Verification code: A verification code is required if your website visitor's requests reaches Rate Limit you configured. WAF allows requests that trigger the rule as long as the website visitors complete the required verification.
      • Block: Requests are blocked if the number of requests exceeds the configured rate limit.
      • Log only: Requests are logged only but not blocked if the number of requests exceeds the configured rate limit.
    • Block Page: Select Default settings or Custom.