Configuring a Scanning Blocking Rule to Automatically Block Heavy-Traffic Attacks

The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale. WAF will automatically block heavy traffic web attacks and directory traversal attacks and block the source IP addresses for a period of time, helping reduce intrusion risks and junk traffic.

Scanning Blocking: If an attack source triggers basic protection rules for more than the threshold you specify, WAF blocks the source for a duration you configure.
Directory Traversal Protection: If an attack source requests a large number of non-existent directories within a short period, which triggers too many 404 responses, WAF blocks the source for a length of time you configure.

Prerequisites

You have added a website to WAF or added a protection policy.

For cloud CNAME access mode, see Connecting a Website to WAF (Cloud Mode - CNAME Access).
For dedicated mode, see Connecting Your Website to WAF (Dedicated Mode).

Constraints

This function is not supported by the cloud standard edition, or the cloud load balancer access mode.
It takes several minutes for a new rule to take effect. After a rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring a Scanning Protection Rule

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
In the navigation pane on the left, choose Policies.
Click the name of the target policy to go to the protection configuration page.
Click the Scanning Protection configuration area and toggle it on or off if needed.
- : enabled.
- : disabled.
Configure Scanning Blocking.
If an attack source triggers basic protection rules for more than the threshold you specify, WAF blocks the source for a duration you configure.
1. Click to enable Scanning Blocking.
2. Select a protective action.
  - Block: WAF blocks and logs detected attacks.
  - Log only: WAF only logs detected attacks.
3. Click and edit the rule information.
  Default value: Time Range: 60 seconds; Min. Times Basic Rules Were Triggered: 20, Min. Rules Triggered: 2; and Block Duration: 1,800 seconds. So, if more than two types of basic web protection rules were triggered for more than 20 times within 60 seconds, the source IP address will be blocked for 1,800 seconds.
  
  You can adjust the value as required.
  
  Figure 1 Scanning Blocking
Configure Directory Traversal Protection.
If an attack source triggers basic protection rules for more than the threshold you specify, WAF blocks the source for a duration you configure.
1. Click to enable directory traversal protection.
2. Select a protective action.
  - Block: WAF blocks and logs detected attacks.
  - Log only: WAF only logs detected attacks.
3. Click and edit the rule information.
  Default value: Time Range: 10 seconds; Request Threshold: 50 requests; Min 404 Status Code (%): 70%; Max. Non-existent Directories: 50; and Block Duration: 1,800 seconds. So, for the protected object, if there are more than 50 requests, with 404 requests accounting for over 70%, and 50 non-existent directories detected, the source IP address will be blocked for 1,800 seconds.
  
  You can adjust the value as required.
  
  Figure 2 Directory Traversal Protection