Help Center/ Web Application Firewall/ Drawer/ CC Attack Protection/ Configuration Cases - Learn More
Updated on 2025-07-04 GMT+08:00
Share

Configuration Cases - Learn More

Case 1: Heavy-Traffic and High-Frequency CC Attacks

In large-scale CC attacks, a single zombie server can send far more packets than a common user does. In this scenario, a rate limiting rule is the most effective method to against this type of CC attacks.

Configuration example: You can configure such a CC rule to mitigate CC attacks. If an IP address accessed any path under the current domain name more than 1000 times within 30 seconds, this rule will block requests from the IP address for 10 hours. This rule can be used as a preventive configuration for common small and medium-sized websites.

To get improved and refined protection, you need to adjust rate limit settings and specify an appropriate protective action based on your service requirements. For example, if you need to prevent the login interface from being affected by crazy credential stuffing attacks, use the Prefix is logical operator and set the matching content to the specific login path, such as /login.php.

Case 2: Configuring Service Cookie to Restrict Malicious Bonus Hunting and Downloads

To steal extra bonus (such as goods in promotions or downloads), a malicious actor may use the same account to send requests to a website by changing IP addresses or terminals.

The configuration is as follows:

  • Rate Limit Mode: Select Source and then Per user.
  • User Identifier: Select Cookie and set the cookie key value to the user ID field.
  • Trigger: Set Field to Path, and configure Logic and Content based on your service requirements.
  • Set the other parameters based on your service needs.

Case 3: Using HWWAFSESID to Restrict Malicious Bonus Hunting and Downloads

To steal extra bonus (such as goods in promotions or downloads), a malicious actor may use multiple accounts to send requests to a website through the same PC by frequently changing its IP address.

HWWAFSESID: session ID. WAF inserts HWWAFSESID (session ID) into the cookie of a customer request. This field is used by WAF to collect statistics on security features and is used for counting requests by user in CC attack protection rules. Rate Limit Mode: Select Source and then Per user.

The configuration is as follows:

  • User Identifier: Select Cookie and set it to HWWAFSESID.
  • Trigger: Set Field to Path, and configure Logic and Content based on your service requirements.
  • Set the other parameters based on your service needs.

Parent Topic: CC Attack Protection