Updated on 2024-10-31 GMT+08:00

Configuring a Known Attack Source Rule

If EdgeSec blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let EdgeSec automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address 192.168.1.1 and you set the blocking duration to 500 seconds, EdgeSec will block the IP address for 500 seconds after the known attack source rule takes effect.

Prerequisites

A protected website has been added. For details, see Adding a Website to EdgeSec.

Constraints

  • For a known attack source rule to take effect, it must be enabled when you configure basic web protection, precise protection, blacklist, or whitelist protection rules.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
  • Before adding a known attack source rule for malicious requests blocked by Cookie or Params, a traffic identifier must be configured for the corresponding domain name. For details, see Configuring a Traffic Identifier for a Known Attack Source.

Specification Limitations

  • You can configure up to six blocking types. Each type can have one known attack source rule configured.
  • The maximum time an IP address can be blocked for is 30 minutes.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Content Delivery & Edge Computing > CDN and Security.
  3. In the navigation pane on the left, choose Edge Security > Website Settings. The Website Settings page is displayed.
  4. In the Policy column of the row containing the domain name, click the number to go to the Policies page.

    Figure 1 Website list

  5. In the Known Attack Source configuration area, change Status if needed and click Customize Rule to go to the Known Attack Source page.

    Figure 2 Known Attack Source configuration

  6. In the upper left corner of the known attack source rules, click Add Known Attack Source Rule.
  7. In the displayed dialog box, specify the parameters by referring to Table 1.

    Figure 3 Add Known Attack Source Rule
    Table 1 Known attack source parameters

    Parameter

    Description

    Example Value

    Blocking Type

    Specifies the blocking type. The options are:

    • Long-term IP address blocking
    • Short-term IP address blocking
    • Long-term Cookie blocking
    • Short-term Cookie blocking
    • Long-term Params blocking
    • Short-term Params blocking

    Long-term IP address blocking

    Blocking Duration (s)

    The blocking duration must be an integer and range from:

    • (300, 1800] for long-term blocking
    • (0, 300] for short-term blocking

    500

    Rule Description

    A brief description of the rule. This parameter is optional.

    None

  8. Click Confirm. You can then view the added known attack source rule in the list.

Other Operations

  • To modify a rule, click Modify in the row containing the rule.
  • To delete a rule, click Delete in the row containing the rule.

Configuration Example - Blocking Known Attack Source Identified by Cookie

Assume that domain name www.example.com has been connected to EdgeSec and a visitor has sent one or more malicious requests through IP address XXX.XXX.248.195. You want to block access requests from this IP address and whose cookie is jsessionid for 10 minutes. Refer to the following steps to configure a rule and verify its effect.

  1. On the Website Settings page, click www.example.com to go to its basic information page.
  2. In the Traffic Identifier area, configure the cookie in the Session Tag field.

    Figure 4 Traffic Identifier

  3. Add a known attack source, select Long-term Cookie blocking for Blocking Type, and set block duration to 600 seconds.

    Figure 5 Adding a Cookie-based known attack source rule

  4. Enable the known attack source protection.

    Figure 6 Known Attack Source configuration

  5. Add a blacklist and whitelist rule to block XXX.XXX.248.195. Select Long-term Cookie blocking for Known Attack Source.

    Figure 7 Specifying a known attack source rule

  6. Clear the browser cache and access http://www.example.com.

    When a request from IP address XXX.XXX.248.195, EdgeSec blocks the access. When EdgeSec detects that the cookie of the access request from the IP address is jsessionid, EdgeSec blocks the access request for 10 minutes.

    Figure 8 Block page

  7. Go to the EdgeSec console. In the navigation pane on the left, choose Events. View the event on the Events page.