Directory traversal protection helps you automatically block client IP addresses that launch multiple directory traversal attacks on your domain within a short period of time.

Prerequisites

You can enable this feature in Web Application Firewall (WAF) only when the following conditions are met:

Background information

You can enable the directory traversal protection feature to automatically detect and block client IP addresses that launch multiple directory traversal attacks on your domain within a short period of time. Requests from the blocked IP addresses are rejected during the blocking period. After the blocking period expires, the blocked IP addresses are automatically unblocked. After enabling directory traversal protection, you can customize a protection rule. For more information, see Step 5. You can also unblock IP addresses manually. For more information, see Step 6.

Procedure

  1. Log on to the WAF console.
  2. In the left-side navigation pane, choose Management > Website Configuration. On the Website Configuration page that appears, select the region of your WAF instance (Mainland China or International).
  3. Find the domain to be configured in the domain list, and click Policies in the Operation column.
  4. On the page that appears, scroll down to the Directory Traversal Protection area and turn on Status to enable directory traversal protection.

    After directory traversal protection is enabled, the following protection rule takes effect by default: If WAF detects more than 50 access requests from a client IP address to the specified domain within 10 seconds and that more than 70% of the responses to these requests contain the 404 response code , WAF blocks the IP address for 1,800 seconds.
  5. Optional: You can perform the following steps to customize a protection rule:
    1. In the Directory Traversal Protection area, click Settings.
    2. In the Rule Setting dialog box that appears, set the following parameters.
      Note If you do not know how to set the parameters, set Mode to one of the following values: Flexible Mode, Strict Mode, and Normal Mode. Each of these values correspond to a default protection rule that is configured to a certain degree of strictness. You can adjust the settings in these rules to customize the degree of strictness.
      Parameter Description
      Inspection Time Range The period of time at which WAF checks for directory traversal attacks from client IP addresses on the specified domain. Unit: second.
      The total requests exceeds The maximum number of access requests that can be sent from a client IP address to the specified domain within the specified period of time. WAF blocks a client IP address when both of the following conditions are met: The number of access requests from the IP address to the specified domain within the specified period of time is greater than the value of this parameter, and the percentage of responses to these requests with the 404 response code exceeds the specified threshold.
      And the percentage of responses with 404 exceeds
      Blocked IP Addresses The period of time over which a client IP address is blocked. Unit: second.


    3. Click OK.
  6. Optional: To manually unblock client IP addresses, click Unblock IP Address in the Directory Traversal Protection area.