Directory traversal protection - User Guide| Alibaba Cloud Documentation Center

Directory traversal protection helps you automatically block client IP addresses that launch multiple directory traversal attacks on your domain within a short period of time.

Prerequisites

You can enable this feature in Web Application Firewall (WAF) only when the following conditions are met:

You have bought a monthly or yearly subscription WAF service. For more information, see Activate Alibaba Cloud WAF.
You have added your domain to WAF for protection. For more information, see the "Configure WAF" part of the "Overview" section in Alibaba Cloud WAF User Guide.
You have enabled Web application protection and HTTP flood protection. For more information, see Web application protection and HTTP flood protection.

Background information

You can enable the directory traversal protection feature to automatically detect and block client IP addresses that launch multiple directory traversal attacks on your domain within a short period of time. Requests from the blocked IP addresses are rejected during the blocking period. After the blocking period expires, the blocked IP addresses are automatically unblocked. After enabling directory traversal protection, you can customize a protection rule. For more information, see Step 5. You can also unblock IP addresses manually. For more information, see Step 6.

Procedure

Log on to the WAF console.
In the left-side navigation pane, choose Management > Website Configuration. On the Website Configuration page that appears, select the region of your WAF instance (Mainland China or International).
Find the domain to be configured in the domain list, and click Policies in the Operation column.
On the page that appears, scroll down to the Directory Traversal Protection area and turn on Status to enable directory traversal protection.

After directory traversal protection is enabled, the following protection rule takes effect by default: If WAF detects more than 50 access requests from a client IP address to the specified domain within 10 seconds and that more than 70% of the responses to these requests contain the 404 response code , WAF blocks the IP address for 1,800 seconds.

Optional: You can perform the following steps to customize a protection rule:

In the Directory Traversal Protection area, click Settings.

In the Rule Setting dialog box that appears, set the following parameters.

Note If you do not know how to set the parameters, set Mode to one of the following values: Flexible Mode, Strict Mode, and Normal Mode. Each of these values correspond to a default protection rule that is configured to a certain degree of strictness. You can adjust the settings in these rules to customize the degree of strictness.


Parameter	Description
Inspection Time Range	The period of time at which WAF checks for directory traversal attacks from client IP addresses on the specified domain. Unit: second.
The total requests exceeds	The maximum number of access requests that can be sent from a client IP address to the specified domain within the specified period of time. WAF blocks a client IP address when both of the following conditions are met: The number of access requests from the IP address to the specified domain within the specified period of time is greater than the value of this parameter, and the percentage of responses to these requests with the 404 response code exceeds the specified threshold.
And the percentage of responses with 404 exceeds
Blocked IP Addresses	The period of time over which a client IP address is blocked. Unit: second.

Click OK.

Optional: To manually unblock client IP addresses, click Unblock IP Address in the Directory Traversal Protection area.