DocsICP FilingConsole
官方文档
首页

Configure scan protection

更新时间:
复制 MD 格式
产品详情
我的收藏

Scan protection identifies scanning behaviors and scanner signatures to block large-scale scans on your websites. Attack sources are blocked or automatically blacklisted, reducing the risk of intrusion and eliminating junk traffic from scans.

Prerequisites

Background information

Scan protection rules fall into the following types:

  • High-frequency scanning protection: Automatically blacklists an attack source that triggers basic protection rules for the protected object multiple times within a short period. All requests from this source are then blocked or monitored for a specified duration.

  • Directory traversal blocking: Automatically blacklists an attack source that accesses multiple nonexistent directories for the protected object within a short period. All requests from this source are then blocked or monitored for a specified duration.

  • Scanner blocking: Blocks or monitors requests from common scanning tools such as SQLMap, AWVS, Nessus, AppScan, WebInspect, Netsparker, Nikto, and RSAS.

Create a mitigation policy - scan protection

When you configure scan protection for the first time, you must create a scan protection rule template and then configure its rules.

  1. Log on to the DCDN console.

  2. In the left-side navigation pane, choose WAF > Protection Policies.

  3. On the Protection Policies page, click Create Policy.

  4. On the Create Policy page, configure the protection information.

    Configuration Module

    Configuration Item

    Description

    Policy Information

    Policy Type

    Select Scan Protection.

    Policy Name

    Enter a custom policy name. The name can contain letters, digits, and underscores (_). The name can be up to 64 characters long.

    Make Default

    Specify whether to set this policy as the default for the current mitigation type.

    A default policy applies to all protected domain names that are not associated with a custom mitigation policy, including newly added domain names and domain names removed from custom mitigation policies. It does not need to be associated with a specific protected domain name.

    Note

    • Only one default policy can be set for each mitigation type. The default policy cannot be changed after it is created.

    • If a default policy already exists for the current mitigation type, this switch is unavailable.

    Rule Information

    Rules

    Select the action to take when a request matches the rule. Options:

    • Block: Blocks requests that match the rule and returns a block page to the client.

    • Monitor: Does not block requests that match the rule.

    Use Monitor mode to test a new rule. After you confirm that the rule does not cause false positives, change the action to Block.

    High-frequency Scanning Blocking

    Status

    Turn high-frequency scanning protection on or off.

    Default configuration: An attack source (the Blocked Object, IP by default) is added to the blacklist for a Block Duration of 30 minutes if it meets the following conditions within a Detection Period of 60 seconds: Triggers basic protection rules more than 20 times. Triggers more than 2 different protection rules (Number of Triggered Protection Rules Is Greater Than). During the block duration, all requests from the source are blocked or monitored based on the rule.

    Click Modify Configuration to customize the parameters as described in the following rows.

    Block Object

    Select the type of attack source to monitor:

    • IP: Monitors the attack frequency from the same client IP address.

    • Session: Monitors the attack frequency from the same client session.

      Note

      WAF attempts to insert a cookie that starts with `acw_tc` into the response using the `setcookie` method to mark different client sessions.

    • Custom: Monitors the attack frequency from objects with the same request features. You can specify request features in the following ways:

      • Custom Header: Monitors the frequency of attack requests that contain a specific header.

      • Custom Parameter: Monitors the frequency of attack requests that contain a specific parameter.

      • Custom Cookie: Monitors the frequency of attack requests that contain a specific cookie.

    Time Range

    Set the time range for detecting HTTP requests.

    • Value range: 5 to 1800.

    • Unit: seconds.

    Trigger Threshold

    Within the Time Range, set the maximum number of times a single monitored object can trigger the basic protection rules for the current protected object.

    Value range: 3 to 50,000.

    Triggered Rules

    Within the Time Range, set the number of different basic protection rules that a single monitored object can trigger for the current protected object.

    Value range: 1 to 50.

    Blocking Time

    Set the duration to block requests from an object that hits the rule.

    • Value range: 60 to 86,400.

    • Unit: seconds.

    Directory Traversal Blocking

    Status

    Turn directory traversal blocking on or off.

    Default configuration: An attack source (the Blocked Object, IP by default) is added to the blacklist for a Block Duration of 30 minutes if it meets the following conditions within a Detection Period of 10 seconds: Sends more than 50 requests to the protected object (Requests to Protected Object Exceed). The ratio of 404 response codes exceeds 70% (404 Response Code Ratio Exceeds). The number of non-existent directories accessed exceeds 50 (Number of Non-existent Directories Exceeds). During the block duration, all requests from the source are blocked or monitored.

    Click Modify Configuration to customize the parameters as described in the following rows.

    Block Object

    Select the type of attack source to monitor:

    • IP: Monitors the attack frequency from the same client IP address.

    • Session: Monitors the attack frequency from the same client session.

      Note

      WAF attempts to insert a cookie that starts with `acw_tc` into the response using the `setcookie` method to mark different client sessions.

    • Custom: Monitors the attack frequency from objects with the same request features. You can specify request features in the following ways:

      • Custom Header: Monitors the frequency of attack requests that contain a specific header.

      • Custom Parameter: Monitors the frequency of attack requests that contain a specific parameter.

      • Custom Cookie: Monitors the frequency of attack requests that contain a specific cookie.

    Time Range

    Set the detection period.

    • Value range: 5 to 1800.

    • Unit: seconds.

    Requests

    Within the Time Range, set the maximum number of requests that a single monitored object can send to a single domain name.

    Value range: 3 to 50,000.

    HTTP 404 Status Code Percentage

    Set the maximum percentage of 404 response codes.

    • Value range: 1 to 100.

    • Unit: % (percent).

    Non-existent Directories

    Within the Time Range, set the maximum number of non-existent directories (excluding static files such as images) that a single monitored object can access.

    Value range: 2 to 50,000.

    Blocking Time

    Set the duration to block requests from an object that hits the rule.

    • Value range: 60 to 86,400.

    • Unit: seconds.

    Scanner Blocking

    Status

    Turn scanner blocking on or off.

    Protected Domain Names

    Protected Domain Names

    Select the domain names to which you want to apply this mitigation policy.

    Note

    A protected domain name can be associated with only one mitigation policy of the same type.

    If you select a domain name that is already associated with another policy of the same type, the current policy replaces the previous one for that domain name.

  5. Click Create Policy.

    The new protection policy is enabled by default.

API reference

Previous:Configure bot managementNext:Match conditions