Help Center/ Web Application Firewall/ User Guide/ Configuring Protection Policies/ Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration

Updated on 2025-02-26 GMT+08:00

View PDF

Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration

If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address (192.168.1.1) and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect.

Known attack source rules can be used by basic web protection, precise protection, IP address blacklist, IP address whitelist, and other rules. You can use known attack source rules in basic web protection, precise protection, and IP blacklist or whitelist rules as long as you set Protective Action to Block for these rules.

If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.

Prerequisites

You have added the website you want to protect to WAF or added a protection policy.
- For cloud CNAME access mode, see Connecting a Website to WAF (Cloud Mode - CNAME Access).
- For cloud load balancer access mode, see Connecting Your Website to WAF (Cloud Mode - Load Balancer Access).
- For dedicated mode, see Connecting Your Website to WAF (Dedicated Mode).
If you use a dedicated WAF instance, ensure that it has been upgraded to the latest version. For details, see Managing Dedicated WAF Engines.

Constraints

For a known attack source rule to take effect, it must be enabled when you configure basic web protection, precise protection, blacklist, or whitelist protection rules.

For blacklist and whitelist rules, a known attack source with Long-term IP address blocking or Short-term IP address blocking configured cannot be selected.
Before adding a known attack source rule for malicious requests blocked by Cookie or Params, a traffic identifier must be configured for the corresponding domain name. For more details, see Configuring a Traffic Identifier for a Known Attack Source.
It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Specification Limitations

You can configure up to six blocking types. Each type can have one known attack source rule configured.
Maximum blocking duration:
- Long-term blocking (including Long-term IP address blocking, Long-term Cookie blocking, and Long-term Params blocking): 3 months
- Short-term blocking (including Short-term IP address blocking, Short-term Cookie blocking, and Short-term Params blocking): 1,800 seconds

Configuring a Known Attack Source Rule

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
In the navigation pane on the left, choose Policies.
Click the name of the target policy to go to the protection configuration page.
Enable Known Attack Source if needed.
- : enabled.
- : disabled.

If you add a known attack source for the first time, click Add Known Attack Source Rule. Configure the parameters by referring to Table 1.

You can click Add Rule and add more known attack source rules.

Figure 1 Configure Known Attack Source Rule

**Table 1** Known attack source parameters
Parameter	Description	Example Value
Blocking Type	The blocking type for the rule. The options are: Long-term IP address blocking Short-term IP address blocking Long-term Cookie blocking Short-term Cookie blocking Long-term Params blocking Short-term Params blocking NOTICE: For blacklist and whitelist rules, a known attack source with Long-term IP address blocking or Short-term IP address blocking configured cannot be selected.	Long-term IP address blocking
Blocking Duration (s)	The blocking duration must be an integer and range from: Short-term blocking: The Blocking Type can be set to Short-term IP address blocking, Short-term Cookie blocking, or Short-term Params blocking. The blocking duration is calculated by the second. Value range: 1 to 300 seconds. Long-term blocking: The Blocking Type can be Long-term IP address blocking, Long-term Cookie blocking, or Long-term Params blocking. The blocking duration can be calculated by the Second, Minute, Hour, Day, or Month. Value ranges are as follows: Second: 301 to 7,776,000 Minute: 6 to 129,600 Hour: 1 to 2,160 Day: 1 to 90 Month: 1 to 3	3 months
Rule Description	A brief description of the rule. This parameter is optional.	-

Click Save. You can then view the added known attack source rule in the list.

Related Operations

To modify a rule, click Modify in row containing the rule.
To delete a rule, click Delete in the row containing the rule.

Configuration Example - Blocking Known Attack Source Identified by Cookie

Assume that domain name www.example.com has been connected to WAF and a visitor has sent one or more malicious requests through IP address XXX.XXX.248.195. You want to block access requests from this IP address and whose cookie is jsessionid for 10 minutes. Refer to the following steps to configure a rule and verify its effect.

On the Website Settings page, click www.example.com to go to its basic information page.
In the Traffic Identifier area, configure the cookie in the Session Tag field.

Figure 2 Traffic Identifier
Add a known attack source, select Long-term Cookie blocking for Blocking Type, and set block duration to 600 seconds.

Figure 3 Adding a Cookie-based known attack source rule
Enable the known attack source protection.

Figure 4 Known Attack Source configuration area
Add a blacklist and whitelist rule to block XXX.XXX.248.195. Select Long-term Cookie blocking for Known Attack Source.

Figure 5 Specifying a known attack source rule
Clear the browser cache and access http://www.example.com.

When a request from IP address XXX.XXX.248.195, WAF blocks the access. When WAF detects that the cookie of the access request from the IP address is jsessionid, WAF blocks the access request for 10 minutes.

Figure 6 Block page
Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.

Parent Topic: Configuring Protection Policies

Previous topic: Creating a Reference Table to Configure Protection Metrics in Batches

Next topic: Condition Field Description

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot