Blocking Heavy-Traffic CC Attacks Through CC Attack Protection Rules
A CC attack protection rule can limit access to your website based on the IP address or cookie of a visitor. If the number of access requests from a visitor exceeds the threshold you configure, you can require the visitor to enter a verification code to continue the access, or block the request and return a custom page of certain type to the visitor.
In heave-traffic CC attacks, a single zombie server can send far more packets than a common user does. In this scenario, a rate limiting rule is the most effective method to fend off this type of CC attacks.
- Cloud - CNAME access
- Service servers are deployed on any cloud or in on-premises data centers.
- Protected objects: domain names
- Cloud - Load balancer access mode
- Dedicated mode
This topic describes how to configure an IP-based CC attack protection rule to limit access traffic. We use WAF cloud CNAME access mode in this example.
Process
Procedure |
Description |
|---|---|
Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign WAF permissions to the account. |
|
Purchase WAF and select the region and WAF mode. |
|
Add the website you want to protect to WAF for traffic inspection and forwarding. |
|
Configure and enable CC attack protection rules to mitigate CC attacks against the protected website. |
Preparations
- Before purchasing WAF, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.
If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.
- Make sure that your account has sufficient balance, or you may fail to pay to your WAF orders.
- Make sure your account has WAF permissions assigned. For details, see Creating a User Group and Granting Permissions.
Table 1 System policies supported by WAF Role/Policy Name
Description
Category
Dependencies
WAF Administrator
Administrator permissions for WAF
System-defined role
Dependent on the Tenant Guest and Server Administrator roles.
- Tenant Guest: A global role, which must be assigned in the global project.
- Server Administrator: A project-level role, which must be assigned in the same project.
WAF FullAccess
All permissions for WAF
System-defined policy
None.
WAF ReadOnlyAccess
Read-only permissions for WAF.
System-defined policy
Step 1: Buy the Standard Edition Cloud WAF
This topic covers how to buy the standard edition cloud WAF, connect a website to WAF in cloud CNAME access mode, and configure and enable CC attack protection rules.
- Log in to Huawei Cloud management console.
- On the management console page, choose .
- In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select a WAF mode.
- Region: Select the region nearest to your services WAF will protect.
- Edition: Select Standard.
- Expansion Package and Required Duration: Retain default settings.
- Confirm the product details and click Buy Now in the lower right corner of the page.
- Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
- On the payment page, select a payment method and pay for your order.
Step 2: Add a Website to WAF
- In the navigation pane on the left, choose Website Settings.
- In the upper left corner of the website list, click Add Website.
- Select Cloud - CNAME and click Configure Now.
- On the Add Domain Name page, set the parameters by referring to Figure 1.
Table 2 Key parameters Parameter
Description
Example
Protected Domain Name
The domain name you want to add to WAF for protection.
www.example.com
Protected Port
The port over which the website service traffic goes.
To protect port 80 or 443, select Standard port from the drop-down list.
Standard ports
Server Configuration
Server address configuration. You need to configure the client protocol, server protocol, server weights, server address, and server port.
- Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS.
- Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS.
- Server Address: public IP address (generally corresponding to the A record of the domain name configured on the DNS) or domain name (generally corresponding to the CNAME record of the domain name configured on the DNS) of the web server that a client accesses. The following IP address formats are supported:
- IPv4, for example, XX.XXX.1.1
- IPv6, for example, fe80:0000:0000:0000:0000:0000:0000:0000
- Server Port: service port over which the WAF instance forwards client requests to the origin server.
- Weight: Requests are distributed across backend origin servers based on the load balancing algorithm you select and the weight you assign to each server.
Client Protocol: HTTP.
Server Protocol: HTTP
Server Address: XXX.XXX.1.1
Server Port: 80
Proxy Your Website Uses
- Layer-7 proxy: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services.
- Layer-4 proxy: Web proxy products for layer-4 forwarding are used, products such as anti-DDoS.
- No proxy: No proxy products are deployed in front of WAF.
In our example, no proxies are used.
No proxy
- Click Next. The basic information about the domain name is configured.
- Complete steps Whitelist WAF Back-to-Source IP Addresses and Test WAF as prompted.
- Complete DNS resolution.
Configure the CNAME record on the DNS platform hosting your domain name. For details, contact your DNS provider.
The following uses Huawei Cloud DNS as an example to show how to configure a CNAME record. The following configuration is for reference only.
- Copy the CNAME value provided by WAF in Figure 2.
- Click
in the upper left corner of the page and choose Networking > Domain Name Service. - In the navigation pane on the left, choose Public Zones.
- In the Operation column of the target domain name, click Manage Record Set. The Record Sets tab page is displayed.
- In the row containing the desired record set, click Modify in the Operation column.
- In the displayed Modify Record Set dialog box, change the record value.
- Name: Domain name configured in WAF
- Type: Select CNAME-Map one domain to another.
- Line: Default
- TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
- Value: Change it to the CNAME record copied in 7.a.
- Keep other settings unchanged.
- Click OK.
Step 3: Configure a CC Attack Protection Rule
Configuration example: You can configure such a CC rule to mitigate CC attacks. If an IP address accessed any path under the current domain name more than 1000 times within 30 seconds, this rule will block requests from the IP address for 10 hours. This rule can be used as a preventive configuration for common small and medium-sized websites
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the CC Attack Protection area, enable it.
: enabled
: disabled - In the upper left corner of the CC Attack Protection rule list, click Add Rule. In the dialog box displayed, configure the CC attack protection rule by referring to Figure 3.
- Rate Limit Mode: Select Source and then Per IP address to distinguish a single web visitor based on IP addresses.
- Trigger: At least one condition needs to be configured. The rule takes effect only when all conditions you configure are met.
- Set other parameters based on your situation.
- Confirm the configuration and click Confirm.
Related Information
For more details, see Configuring a CC Attack Protection Rule.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
