Blocking Heavy-Traffic CC Attacks Through CC Attack Protection Rules

Process

Preparations

1. Before purchasing EdgeSec, create a Huawei account and subscribe to Huawei Cloud.

   If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

2. Ensure that your account has sufficient balance or has a valid payment method configured.
3. Ensure that you have enabled CDN.
4. A domain name has been added on the Domains page. For details about domain name management, see Domain Name Management.

Step 1: Buy EdgeSec Enterprise Edition

EdgeSec provides the professional and enterprise editions. For details about the differences, see Edition Differences.

1. Log in to the EdgeSec console.
2. Click Buy. The Buy EdgeSec page is displayed. Set the product parameters.
3. Confirm the order details and click Pay Now.

Step 2: Add Your Website to EdgeSec

1. In the navigation pane on the left, choose Edge Security > Domain Names. The Domain Names page is displayed.
2. In the upper left corner of the list, click Add Domain Names. For details about the parameters, see Table 1.
   Figure 1 Adding a website to EdgeSec
   

   Table 1 Parameters for adding a protected website

   Name	Description
   Website Name	Name of the website you want to protect. It must meet the following requirements: The name must be unique. The name must start with a letter. The length cannot exceed 128 characters. The value can contain uppercase letters, lowercase letters, digits, and special characters (-_:).
   Protected Domain Name	Select a domain name. You can select a domain name whose Service Type is Website, File download, On-demand services, or Whole site on the Domains page. NOTE: The domain name to be added is the one added on the CDN domain name management page.
   Configure Policy	The System-generated policy is selected by default. You can select a policy you configured before.

3. Click OK.

Step 3: Configure a CC Attack Protection Rule

You can configure such a CC rule to mitigate CC attacks. If an IP address accessed paths under the current domain name more than 1000 times within 30 seconds, this rule will block requests from this IP address for 10 hours. This rule can be used as a preventive configuration for common small and medium-sized websites

1. In the navigation pane on the left, choose Edge Security > Policies. The Policies page is displayed.
2. Click the name of the target policy to go to the protection configuration page.
3. In the CC Attack Protection area, enable it.

   : enabled

   : disabled

4. In the upper left corner of the CC Attack Protection rule list, click Add Rule. In the dialog box displayed, configure the CC attack protection rule by referring to Figure 2.

   In this example, only some parameters are described. Retain the default values for other parameters. Table 2 describes some parameters.

   Figure 2 Configuring CC attack protection rules
   

   Table 2 Mandatory parameters

   Parameter	Example Value	Description
   Rate Limit Mode	Source IP Address	Source IP address: A web visitor is identified by the IP address. Source IP C Segment: Web visitor groups are defined by the source IP C segment. Access frequency is counted, and the rate is limited based on these visitor groups. Cookie: A web visitor is identified by the cookie. Header: A web visitor is identified by the customized HTTP header.
   Trigger	Field: Path Logic: Prefix is Content: /	Click Add to add conditions. At least one condition is required, but up to 30 conditions are allowed. If you add more than one condition, the rule will only take effect if all of the conditions are met. Field: include geolocation, path, IPv4, IPv6, cookie, method, header, Params, HTTP code, ASN, and range. NOTE: If Field is set to Geographical location or ASN, IPv6 address requests cannot be matched. Subfield: Configure this field only when Cookie, Header, or Params is selected for Field. NOTICE: The length of a subfield cannot exceed 2048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. Logic: Select the desired logical relationship from the drop-down list. NOTE: When Logic is set to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is any of them, Suffix is any value, or Suffix is any of them, you need to select a reference table. For details about how to create a reference table, see Creating a Reference Table. If the condition is length-related logic, the length value cannot be too large. Large requests can be intercepted before reaching the backend engine, preventing them from being processed and making protection rules ineffective. Content: Enter or select the content that matches the condition.
   Rate Limit	1,000 requests within 30 seconds	The maximum requests that a website visitor can initiate within the configured period. If the configured rate limit has been reached, EdgeSec will respond according to the protective action configured.
   Protective Action	Block	When the request frequency exceeds the Rate Limit, the following actions will be executed for new requests within the protection duration: Verification code: EdgeSec allows requests that trigger the rule as long as your website visitors complete the required verification. Currently, verification code supports English. Block: EdgeSec blocks requests that trigger the rule. Log only: EdgeSec only logs requests that trigger the rule. Rate limiting: When the Rate Limit is exceeded, the traffic rate is limited. NOTE: The verification code functionality requires JavaScript execution within a complete browser environment. Therefore, it will not function in environments lacking full browser capabilities, such as text-only terminals or devices with incomplete browser support. Incomplete browser environments are unable to execute the JavaScript code necessary for user identity and validity verification, thus preventing the completion of the verification process. Upon successful verification code validation, the response page must be rendered in a browser environment to ensure proper page restoration. Failure to render the response page may lead to display issues, such as the persistent display of the human-machine verification interface.
   Block Duration	36,000 seconds	Execution duration of the protection action. You are advised to set the protection duration to a value greater than the rate limiting period. The value ranges from 0 to 65535.

5. Confirm the configuration and click OK.

Step 4: Viewing Protection Statistics Events

When your website is under CC attacks, you can search for CC attack events in the event list to quickly locate attack sources or analyze attack events.

1. In the navigation pane on the left, choose Edge Security > Statistics. The Statistics page is displayed.
2. Set the query time to Custom. The range cannot exceed one month.
3. In the search box, select the target Source IP to query the event.
4. (Optional) In the Operation column of the target event, click More to handle the event.
   

   You can use one of the following methods to handle the event:

   • Handling a false alarm
   • Adding to address group
   • Adding to blacklist/whitelist

Related Information

For more information about CC attack protection, see Configuring CC Attack Protection Rules.