Help Center/ Edge Security/ Best Practices/ Traffic Fraud Prevention Policy/ Basic Protection
Updated on 2025-09-15 GMT+08:00
View PDF
Share

Basic Protection

You can analyze traffic bursts based on statistics reports, offline logs, and real-time logs, locate attack characteristics, and configure protection policies.

Obtaining Logs and Reports

  • Statistics reports: View popular URLs, IP addresses, user agents, and referer on the console to identify abnormal access. For details, see Web Top Statistics.
  • Offline logs: Filter logs generated during traffic bursts (within 30 days) for post-event analysis and identify abnormal access.
  • Real-time logs: Analyze logs in real time and respond to attacks quickly.

Feature Analysis

Table 1 Attack features and countermeasures

Attack Feature

Countermeasure

One or more client IP addresses frequently request the same URL, which is mainly an image, video file, download data package, or API.
  1. Configure a CC attack protection rule. Set the rate limiting mode to Source IP Address, Cookie, or Header. For details, see Configuring CC Attack Protection Rules.
  2. Configure an IP address blacklist to restrict access from the source IP address. For details, see Configuring an IP Address Blacklist.

An IP address in a C segment frequently requests the same URL, which is mainly an image, video file, download data package, or API.
  1. Configure a CC attack protection rule. Set the rate limiting mode to Source IP Address C Segment. For details, see Configuring CC Attack Protection Rules.
  2. Configure an IP address blacklist to restrict access from the source IP address segment. For details, see Configuring an IP Address Blacklist.

The Referer field value is abnormal. The Referer field value indicates the source of the current request. But in this case, the Referer URL does not correspond properly to the requested URL—for example, the field is empty or references an untrusted third-party domain.

Configure a precise access protection rule to block invalid referer requests. For details, see Configuring a Precise Protection Rule.

The User-Agent field value is abnormal. The User-Agent value identifies the information about the client (such as the browser, crawler, or application) that initiates the request. For example, the null value, script tool, development engine, and forged User-Agent values that do not comply with the specifications.

Configure a precise protection rule to block invalid User-Agent requests. For details, see Configuring a Precise Protection Rule.

A single client IP address frequently changes the User-Agent. Attackers forge the User-Agent of a normal browser and change the User-Agent in each request to bypass the security check of the server.

Configure an IP address blacklist to restrict access from the source IP address segment. For details, see Configuring an IP Address Blacklist.

The User-Agent is abnormal. The client environment is not properly related to the requested resource. For example, the non-Android User-Agent requests to download the APK package and the access frequency is high.
  1. Configure a precise protection rule to block invalid User-Agent requests. For details, see Configuring a Precise Protection Rule.
  2. Configure an IP address blacklist to restrict access from the source IP address. For details, see Configuring an IP Address Blacklist.

The source IP address of the client does not correspond to the requested URL. For example, the resource cannot be accessed by an IP address outside China.

Configure precise access protection rules to block requests from source IP addresses in specified countries or regions. For details, see Configuring a Precise Protection Rule.

Configuring Protection

For details, see Configuring Protection Rules.