Configuring a Scanning Blocking Rule to Automatically Block Heavy-Traffic Attacks
The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale. WAF will automatically block heavy traffic web attacks and directory traversal attacks and block the source IP addresses for a period of time, helping reduce intrusion risks and junk traffic.
- Scanning Blocking: If an attack source triggers basic protection rules for more than the threshold you specify, WAF blocks the source for a duration you configure.
- Directory Traversal Protection: If an attack source requests a large number of non-existent directories within a short period, which triggers too many 404 responses, WAF blocks the source for a length of time you configure.
Prerequisites
- For cloud CNAME access mode, see Connecting Your Website to WAF with Cloud Mode - CNAME Access.
- For dedicated mode, see Connecting Your Website to WAF with Dedicated Mode.
Constraints
- This function is not supported by the cloud standard edition, or the cloud load balancer access mode.
- It takes several minutes for a new rule to take effect. After a rule takes effect, protection events triggered by the rule will be displayed on the Events page.
Configuring a Scanning Protection Rule
- Log in to the WAF console.
- Click
in the upper left corner and select a region or project.
- (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
- In the navigation pane on the left, click Policies.
- Click the name of the target policy to go to the protection rule configuration page.
Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.
- Locate the Scanning Protection configuration box and toggle this protection on.
: enabled.
- Configure Scanning Blocking. If an attack source triggers basic protection rules for more than the threshold you specify, WAF blocks the source for a duration you configure.
Figure 1 Scanning Blocking
- Click
to enable Scanning Blocking.
After this function is enabled, by default, Protective Action is Log only, Time Range (s) is 60 seconds, Min. Times Basic Rules Were Triggered is 20, Min. Rules Triggered is 2, and IP Block Duration (s) is 1800 seconds. This means if a user triggers more than two rules for over 20 times within 60 seconds, all subsequent requests from that user will be blocked for 1,800 seconds.
You can configure Protective Action and Rule Info based on your service requirements.
- Configure a protective action.
- Block: WAF blocks and logs detected attacks.
- Log only: WAF only logs detected attacks.
- Click
next to Rule Info and edit the rule information.
- Time Range (s): Enter a value ranging from 5 to 1,800.
- Min. Times Basic Protection Rules Were Triggered: Enter a value ranging from 1 to 50,000.
- Min. Rules Triggered: Enter a value ranging from 0 to 50.
- IP Block Duration (s): Enter a value ranging from 60 to 86,400.
You can click Reset to restore default rule settings if needed.
- Click
- Configure Directory Traversal Protection. WAF will block attack sources that trigger the basic protection rule configured for the protected website many times for a period.
- Click
to enable directory traversal protection.
Figure 2 Directory Traversal ProtectionAfter Directory Traversal Protection is enabled, by default, Protective Action is Log only, Time Range (s) is 10 seconds, Request Threshold is 50, Min. 404 Status Code (%) is 70, Max. Non-existent Directories is 50, and Block Duration (s) is 1800. This means if a user requests for over 50 non-existent directories within 10 seconds (with more than 70% requests resulting in 404 errors), all subsequent requests from that user will be blocked for 1,800 seconds
You can configure Protective Action and Rule Info based on your service requirements.
- Configure a protective action.
- Block: WAF blocks and logs detected attacks.
- Log only: WAF only logs detected attacks.
- Click
next to Rule Info and edit the rule information.
- Time Range (s): Enter a value ranging from 5 to 1,800.
- Request Threshold: Enter a value ranging from 2 to 50,000.
- Min. 404 Status Code (%): Enter a value ranging from 1 to 100.
- Min. Non-existent Directories: Enter a value ranging from 2 to 50,000.
- Block Duration (s): Enter a value ranging from 60 to 86,400.
You can click Reset to restore default rule settings if needed.
- Click
One-Click Unblocking Scanning Blocking and Directory Traversal Protection
This operation will unblock all blocked IP addresses triggered by Scanning Blocking or Directory Traversal Protection for the current policy. These IP addresses will still be blocked in other policies.
- Log in to the WAF console.
- Click
in the upper left corner and select a region or project.
- (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
- In the navigation pane on the left, click Policies.
- On the Protection Status tab, click the Scanning Protection configuration box. In the upper right corner of the Scanning Protection list, click One-Click Unblocking.
This operation will unblock all IP addresses that trigger IP address scanning blocking in the current policy. If an IP address triggers the scanning protection rule again, the IP address will be blocked for a period of time according to the rule.
- In the One-Click Unblocking dialog box, click OK.
All IP addresses that triggered scanning blocking in the current policy will be unblocked.
You can also perform the following operations:
- Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
- Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
- Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
- Verify the protection effect:
- Clear the browser cache and access the http://www.example.com page for 20 times within 60 seconds. If the access is blocked for 1,800 seconds, the rule takes effect.
- On the Events page, check the protection logs.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot