WAF supports the account security feature that detects account risks. This feature monitors endpoints related to user authentication, such as registration and logon endpoints, and detects events that may pose a threat to user credentials. Detectable risks include credential stuffing, brute-force attacks, account registration launched by bots, weak password sniffing, and SMS interface abuse. To use the account security feature, add endpoints that need to be monitored to WAF. You can view detection results in WAF security reports.

Background information

  • Before you enable account security, obtain the endpoint information that is required for configuration. For example, you must provide the domain name, the URL where user credentials are submitted, and the parameters that specify the username and password.
  • The business is protected by WAF. For more information, see Website configuration.

Limits

Each WAF instance supports up to three endpoints.

Add an endpoint

  1. Log on to the WAF console.
  2. In the upper-left corner, select the region where the WAF instance is deployed. You can select Mainland China or International.
  3. In the left-side navigation pane, choose Management > Account Security.
  4. On the Account Security page, click Add Endpoint.
    Note Each WAF instance supports up to three endpoints. If the number of endpoints has reached the upper limit, the Add Endpoint icon turns grey, which indicates that you cannot add more endpoints.
    Click Add Endpoint
  5. In the Add Endpoint dialog box that appears, set the parameters, and then click Save. The following table lists the parameters and descriptions.
    Parameter Description
    Endpoint to be Detected Select the domain name that needs to be monitored by WAF, and enter the URI where user credentials are submitted.

    Do not enter the endpoint where users log on, for example, /login.html. Enter the endpoint where usernames and passwords are submitted.

    Account Parameter Name Enter the parameter that specifies usernames.
    Password Parameter Name Enter the parameter that specifies passwords. If passwords are not required on the endpoint, do not set this parameter.
    Sample configuration
    • For example, the logon endpoint is /login.do, and the body of the submitted POST request is username=Jammy&pwd=123456. In this case, you must set Account Parameter Name to username and Password Parameter Name to pwd, as shown in the following figure.Add an endpoint
    • If the parameters that specify user credentials are included in the URL of a GET request, for example, /login.do? username=Jammy&pwd=123456, set the parameters as shown in the preceding figure.
    • If passwords are not required on the endpoint, for example, a registration endpoint, set the Account Parameter Name parameter. Do not set the Password Parameter Name parameter.
    • If phone numbers are used as user credentials on the endpoint, enter the parameter that specifies phone numbers in the Account Parameter Name field. For example, the URL is /sendsms.do? mobile=13811111111. In this case, you must set Endpoint to be Detected to /sendsms.do and Account Parameter Name to mobile. Do not set Password Parameter Name.
    The endpoint is added. After the endpoint is added, WAF automatically dispatches detection tasks. If the network traffic of the endpoint meets the detection conditions, account risks are reported within a few hours.

View account security reports

To view account security reports, navigate to the Account Security page, find the target endpoint, and then click View Report in the Actions column. You can also view security reports on the Reports page.

Click Security Report

The following procedure shows how to view security reports on the Reports page.

  1. Log on to the WAF console.
  2. In the upper-left corner, select the region where the WAF instance is deployed. You can select Mainland China or International.
  3. In the left-side navigation pane, choose Reports > Reports.
  4. On the Account Security tab, select the domain, endpoint, and time period (Yesterday, Today, Last 7 Days, or Last 30 Days) to view detected account risks.View account security reports

    The following table lists the fields and descriptions in an account security report.

    Field Description
    Endpoint The URI where account risks are detected by WAF.
    Domain The domain to which the endpoint belongs.
    Malicious Requests Occurred During The time period during which account risks are detected.
    Blocked Requests The number of requests blocked by WAF protection rules during the time period displayed in the Malicious Requests Occurred During column.

    WAF protection rules indicate all the protection rules that are currently effective, including Web application protection rules, HTTP ACL policies, HTTP flood protection rules, and blocked regions. The proportion of the blocked requests reflects the account security status of the endpoint.

    Total Requests The total number of requests sent to the endpoint during the time period displayed in the Malicious Requests Occurred During column.
    Alert Triggered By The reason why the alert is triggered. Possible reasons include:
    • A request fits the behavior model of credential stuffing or brute-force attacks.
    • The traffic baseline of the endpoint is exceeded during the displayed time period.
    • A large number of requests sent to the endpoint fit the rules described in the threat intelligence library during the displayed time period.
    • Weak passwords are detected in a large number of requests sent to the endpoint during the displayed time period. In this case, credential stuffing and brute-force attacks may occur.

Additional information

The account security feature only detects account risks. Due to the variation of businesses and technologies, we recommend that you choose security services based on your actual business requirements to better safeguard your business. For more information, see Account security best practices.