Web Application Firewall (WAF) provides the account security feature to help you detect account risks. This topic provides suggestions on how to protect endpoints in different scenarios. You can follow the instructions in this topic to better protect endpoints where user authentication is performed.

Background information

WAF supports the account security feature that detects account risks. This feature monitors endpoints related to user authentication, such as registration and logon endpoints, and detects events that may pose a threat to user credentials. Detectable risks include credential stuffing, brute-force attacks, account registration launched by bots, weak password sniffing, and SMS interface abuse. After endpoints are added to WAF, you can view detection results in WAF security reports. For more information, see Account security.

Verification services for common and HTML5 web pages

Verification services, including SMS verification and CAPTCHA, are the easiest and most effective approaches to protect endpoints. Integrating verification services into your business typically requires minor code changes. It may take one or two business days to modify the code. Common verification methods can block direct calls launched from simple tools or scripts. However, due to the adaptation of attack methods and tools, common verification methods can be easily bypassed. We recommend that you use professional verification services, for example, Alibaba Cloud CAPTCHA, to better protect endpoints against attacks.

Alibaba Cloud CAPTCHA is a suite of CAPTCHA and risk control systems that are developed based on years of defense experience of Alibaba Group. It provides a wide array of verification methods, for example, targeted verification, to verify suspicious requests and block malicious requests.

SDK signatures for native apps

Verification services may be unsuitable for native apps. Alibaba Cloud provides an SDK for native apps. This SDK collects the hardware and environment information about a mobile device, signs signatures, and verifies signatures of requests. The SDK forwards requests only from verified apps to the origin server. Requests sent from scripts, automated programs, simulators, and other unverified sources are blocked. For more information, see Solution overview.

Frequency control for blocking attack sources

Frequency control helps you identify requests that contain a common field among a large number of requests. You can specify the maximum occurrences of the common field. The source of the requests is blocked when the maximum occurrences are exceeded. Traditional protection methods typically block malicious IP addresses. Malicious requests sent from proxies or rotating IP addresses may contain the same token, for example, the same UID, in their cookies. In this case, you can set the maximum occurrences based on the cookies to block malicious accounts.

You can set frequency rules in Anti-Bot Service to block malicious requests. The following figure shows an example.

Set a frequency control rule

Analyze suspicious requests

Compared with normal requests, malicious requests typically have certain characteristics. The following examples describe common characteristics among malicious requests.

  • Incomplete HTTP headers. Malicious requests may exclude certain fields, such as referer, cookie, and content-type.
  • Abnormal User-Agent values. User-Agent headers typically used in requests targeting Java or Python-based websites are found in requests sent to common websites. User-Agent headers typically used in requests initiated from desktop browsers are found in requests sent to WeChat mini programs. In these cases, requests containing abnormal User-Agent headers may be malicious.
  • Missing cookies. Typically, multiple cookies are used in an application. Common cookies include SessionID, userid, deviceid, and lastvisit. However, crawlers may include only one or two cookies that are required for retrieving information, and exclude other common cookies.
  • Abnormal parameters. Similar to missing cookies, some parameters are not required for crawlers to retrieve information. Crawlers may exclude or repeatedly submitted these parameters in requests.
  • Suspicious fields. Suspicious fields may be contained in email addresses, phone numbers, and account information.

Log Service integrated into both WAF and Anti-Bot Service can help you analyze request characteristics. For example, Log Service can sort out IP addresses based on the number of requests initiated from them, and calculate the proportion of requests with a certain characteristic.

For more information, see Common statements used for log query and analytics.

Enable credential stuffing and crawler threat intelligence

Anti-Bot Service uses algorithms to identify malicious IP addresses from credential stuffing attacks detected by Alibaba Cloud. A credential stuffing IP blacklist is created and updated dynamically. You can log on to the Anti-Bot Service console and navigate to the Threat Intelligence tab to set the credential stuffing IP blacklist to the Monitor, Block, or Slider Captcha mode. For more information, see Bot intelligence.

The Threat Intelligence tab

Managed Security Service

If your business requires stronger protection, or you need help from security specialists, we recommend that you use Managed Security Service. Alibaba Cloud attack and defense specialists provide custom protection solutions based on your actual business scenarios and requirements. These solutions help you dynamically analyze, monitor, and block attacks to better safeguard your businesses.