Configuring CC Attack Protection Rules to Defend Against CC Attacks

Prerequisites

A protected website has been added. For details, see Adding a Website to EdgeSec.

Constraints

• It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
• A reference table can be added to a CC attack protection rule. The reference table takes effect for all protected domain names.
• A CC attack protection rule offers protective actions such as Verification code and Block for your choice. For example, you can configure a CC attack protection rule to block requests from a visit for 600 seconds if the visitor accessed a URL (for example, /admin*) of your website over 10 times within 60 seconds.

Procedure

1. Log in to the EdgeSec console.
2. In the navigation pane on the left, choose Edge Security > Website Settings. The Website Settings page is displayed.
3. In the Policy column of the row containing the target domain name, click the number to go to the Policies page.
   Figure 1 Website list
   

4. In the CC Attack Protection configuration area, you can change Status as needed.
5. In the upper left corner of the CC Attack Protection page, click Add Rule.
6. In the displayed dialog box, configure a CC attack protection rule by referring to Table 1.
   Choose Columns...

   OK Cancel Select All

   Table 1 Rule parameters

   Parameter	Description	Example Value
   Rule Name	Name of the rule	test
   Rule Description	A brief description of the rule. This parameter is optional.	--
   Set Effective Time	Immediate: The rule takes effect immediately. Time Segment: The rule takes effect after the set time segment. Periodically: The rule takes effect in the specified period of each day.	Immediate
   Priority	Set Priority: Set the priority value, which ranges from 1 to 100. Designated Priority Position: Insert a new rule either before or after an existing rule. Upon insertion, the priority of the newly added rule is set, and the priorities of other rules are automatically adjusted. NOTE: The rules for designating the priority position are as follows: If rule_a has a priority of 1 and rule_b has a priority of 2, inserting a new rule after rule_a will automatically adjust the priorities as follows: rule_a will be set to priority 2, and rule_b will be set to priority 3. Assume rule_a has a priority of 99 and rule_b has a priority of 100. If a new rule is inserted before rule_b, the system will automatically assign a priority of 99 to the new rule, and the priority of rule_a will be adjusted to 98. Assume rule_a has a priority of 98 and rule_b has a priority of 100. If a new rule is inserted before rule_b, the system will automatically assign a priority of 99 to the new rule, and the priorities of the existing rules (rule_a and rule_b) will remain unchanged.	20
   Trigger	Click Add to add conditions. At least one condition is required, but up to 30 conditions are allowed. If you add more than one condition, the rule will only take effect if all of the conditions are met. Fields: include geolocation, path, IPv4, IPv6, cookie, method, header, Params, HTTP code, ASN, and range. NOTE: If Field is set to Geographical location or ASN, IPv6 address requests cannot be matched. Subfield: Configure this field only when Cookie, Header, or Params is selected for Field. NOTICE: The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. Logic: Select a logical relationship from the drop-down list. NOTE: When Logic is set to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is any of them, Suffix is any value, or Suffix is any of them, you need to select a reference table. For details about how to create a reference table, see Creating a Reference Table to Configure Protection Metrics In Batches. If the condition is length-related logic, the length value cannot be too large. Large requests can be intercepted before reaching the backend engine, preventing them from being processed and making protection rules ineffective. Content: Enter or select the content that matches the condition.	Path Include /admin
   Rate Limit Mode	Source IP address: A web visitor is identified by the IP address. Source IP C Segment: A web visitor is identified by the C segment of the source IP address. Cookie: A web visitor is identified by the cookie. Header: A web visitor is identified by the customized HTTP header.	Source IP address
   IP Address Number Threshold in Segment C	This parameter is mandatory when Rate Limite Mode is set to Source IP C Segment.	--
   Rate Limit	The maximum requests that a website visitor can initiate within the configured period. If the configured rate limit has been reached, EdgeSec will respond according to the protective action configured.	10 requests allowed in 60 seconds
   Global Counting	When Rate Limite Mode is set to Source IP C Segment and Rate Limit is greater than or equal to 1 minute, you can enable Global to aggregate the identified requests globally.	--
   Protective Action	When the request frequency exceeds the Rate Limit, the following actions will be executed for new requests within the protection duration: Verification code: EdgeSec allows requests that trigger the rule as long as your website visitors complete the required verification. Currently, verification code supports English. Block: EdgeSec blocks requests that trigger the rule. Log only: EdgeSec only logs requests that trigger the rule. Rate limiting: When the Rate Limit is exceeded, the traffic rate is limited. NOTE: The verification code functionality requires JavaScript execution within a complete browser environment. Therefore, it will not function in environments lacking full browser capabilities, such as text-only terminals or devices with incomplete browser support. Incomplete browser environments are unable to execute the JavaScript code necessary for user identity and validity verification, thus preventing the completion of the verification process. Upon successful verification code validation, the response page must be rendered in a browser environment to ensure proper page restoration. Failure to render the response page may lead to display issues, such as the persistent display of the human-machine verification interface.	Block
   Block Page	The page displayed if the maximum number of requests has been reached. This parameter is configured only when Protective Action is set to Block. If you select Default settings, the default block page is displayed. If you select Custom, a custom error message is displayed.	Custom
   Blocking Method	This parameter is mandatory when Protective Action is set to Block. Block Duration Known attack source: If access attempts exceed the rate limit, all requests from the attack source (defined in Rate Limit Mode) will be blocked for this duration.	Block Duration
   Traffic Limiting	This parameter is mandatory when Protective Action is set to Current Limiting. NOTE: Rate limiting takes effect only for new requests. Rate limiting does not take effect when the file size is less than the rate limit per second. For example, if the rate limit is set to 100 KB/s and the size of the file to be downloaded is less than 100 KB, rate limiting does not take effect.	100 KB
   HTTP Return Code	When Blocking Page is set to Custom, you need to enter the HTTP return code.	404
   Response Header	(Optional) You can add a response header when Blocking Page is set to Custom.	key
   Block Page Type	If you select Custom for Block Page, select a type of the block page among options application/json, text/html, and text/xml.	text/html
   Page Content	If you select Custom for Block Page, configure the content to be returned.	Page content styles corresponding to different page types are as follows: text/html: <!DOCTYPE html> <html> <head></head> <body> Forbidden </body> </html> application/json: {"msg": "Forbidden"} text/xml: <?xml version="1.0" encoding="utf-8"?><error> <msg>Forbidden</msg></error>
   Protection Duration	Execution duration of the protection action. You are advised to set the protection duration to a value greater than the rate limiting period. The value ranges from 0 to 65535.	--

7. Click OK. The CC attack protection rule is displayed in the CC rule list.
   • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
   • To modify a rule, click Edit in the row containing the rule.
   • To delete a rule, click Delete in the row containing the rule.

8. (Optional) Click Modify priorities in batches above the list to change priorities of protection rules in batches.

Configuration Example - Verification Code

If domain name www.example.com has been connected to EdgeSec, perform the following steps to verify that EdgeSec CAPTCHA verification is enabled.

1. Add a CC attack protection rule with Protection Action set to Verification code.
   Figure 2 Verification code
   

2. Enable CC attack protection.
   Figure 3 CC Attack Protection configuration area
   

3. Clear the browser cache and access http://www.example.com/admin/.

   If you access the page 10 times within 60 seconds, a verification code is required when you attempt to access the page for the eleventh time. You need to enter the verification code to continue the access.

   

   There is a delay before the blocking takes effect. If the operation proceeds too quickly, the eleventh visiting attempt may not be blocked.

   

4. Go to the EdgeSec console. In the navigation pane on the left, choose Events. View the event on the Events page.