Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration

Prerequisites

• You have connected a website to WAF.
• You have created a policy and added the domain name to it. For details, see Creating a Protection Policy and Adding a Domain Name to a Policy.
• If you use a dedicated WAF instance, make sure it has been upgraded to the latest version. For details, see Managing Dedicated WAF Engines.

Constraints

• For a known attack source rule to take effect, it must be enabled when you configure basic web protection, CC attack protection, precise protection, or blacklist/whitelist protection rules.
  

  For blacklist and whitelist rules, a known attack source with Long-term IP address blocking or Short-term IP address blocking configured cannot be selected.

• Before adding a known attack source rule for malicious requests blocked based on Cookie or Params, a traffic identifier must be configured for the corresponding domain name. For more details, see Configuring a Traffic Identifier for a Known Attack Source.
• Known attack source rules can only apply to existing WAF engines. New engines do not synchronize the known attack sources configured previously. So known attack sources in requests passing through the new engines cannot be blocked.

  For example, if you configure a known attack source rule for an IP address and set the blocking duration to 100 seconds, all requests from this IP address will be blocked for 100 seconds. If a new engine is added and receives requests over the IP address, the known attack source rule will not be triggered, and the requests will not be blocked.

• It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Specification Limitations

• You can configure up to six blocking types. Each type can have one known attack source rule configured.
• Maximum blocking duration:
  • Long-term blocking (including Long-term IP address blocking, Long-term Cookie blocking, and Long-term Params blocking): 3 months
  • Short-term blocking (including Short-term IP address blocking, Short-term Cookie blocking, and Short-term Params blocking): 1,800 seconds

Configuring a Known Attack Source Rule

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Policies.
5. Click the name of the target policy to go to the protection rule configuration page.

   Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

6. Enable Known Attack Source if needed.
   • : enabled.
   • : disabled.

7. If you add a known attack source for the first time, click Add Known Attack Source Rule. Configure the parameters by referring to Table 1.
   

   You can click Add Rule and add more known attack source rules.

   Figure 1 Configure Known Attack Source Rule
   

   Table 1 Known attack source parameters

   Parameter	Description	Example Value
   Blocking Type	The blocking type for the rule. The options are: Long-term IP address blocking Short-term IP address blocking Long-term Cookie blocking Short-term Cookie blocking Long-term Params blocking Short-term Params blocking NOTICE: For blacklist and whitelist rules, a known attack source with Long-term IP address blocking or Short-term IP address blocking configured cannot be selected.	Long-term IP address blocking
   Blocking Duration (s)	The blocking duration must be an integer and range from: Short-term blocking: The Blocking Type can be set to Short-term IP address blocking, Short-term Cookie blocking, or Short-term Params blocking. The blocking duration is calculated by the second. Value range: 1 to 300 seconds. Long-term blocking: The Blocking Type can be Long-term IP address blocking, Long-term Cookie blocking, or Long-term Params blocking. The blocking duration can be calculated by the Second, Minute, Hour, Day, or Month. Value ranges are as follows: Second: 301 to 7,776,000 Minute: 6 to 129,600 Hour: 1 to 2,160 Day: 1 to 90 Month: 1 to 3	3 months
   Rule Description	A brief description of the rule. This parameter is optional.	-

8. Click Save. You can then view the added known attack source rule in the list.

   After completing the preceding configurations, you can:

   • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
   • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
   • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.

One-Click Unblocking a Known Attack Source Rule

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Policies.
5. Click the name of the target policy to go to the protection rule configuration page.

   Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

6. Click the CC Attack Protection or Precise Protection configuration box. In the upper right corner of the rule list, click One-Click Unblocking.
   

   One-Click Unblocking unblocks all known attack source rules triggered in the current module. All IP addresses, cookies, and params previously blocked by these rules will be unblocked. If the protection rule is triggered again, the associated known attack source rule is triggered as well. The IP addresses, cookies, or parameters will be blocked for a time period you configure in the rule.

7. Click One-Click Unblocking in the displayed dialog box and click OK to unblock all known attack source rules triggered by the current protection module.

   Then, the IP addresses, cookies, or parameters that have been blocked are unblocked until the protection rule associated with the known attack sources is triggered again.

Configuration Example: Blocking Known Attack Source Identified by Cookie

Assume that domain name www.example.com has been connected to WAF and a visitor has sent one or more malicious requests through IP address XXX.XXX.248.195. You want to block access requests from this IP address and whose cookie is jsessionid for 10 minutes.

1. On the Website Settings page, click www.example.com to go to its basic information page.
2. In the Traffic Identifier area, configure the cookie in the Session Tag field.
   Figure 2 Traffic Identifier
   

3. Add a known attack source, select Long-term Cookie blocking for Blocking Type, and set block duration to 600 seconds.
   Figure 3 Adding a Cookie-based known attack source rule
   

4. Enable the known attack source protection.
   Figure 4 Enabling known attack source protection
   

5. Add a blacklist and whitelist rule to block XXX.XXX.248.195. Select Long-term Cookie blocking for Known Attack Source.
   Figure 5 Specifying a known attack source rule
   

6. Clear the browser cache and access http://www.example.com.

   When a request from client IP address XXX.XXX.248.195, WAF blocks the access. If WAF detects that the cookie of the access request from the client IP address is jsessionid, WAF blocks the access request for 10 minutes.

   Figure 6 Block page
   

7. Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.