After you add a website to Web Application Firewall (WAF), you can enable the scan protection feature for your website. The scan protection feature automatically blocks access requests that have specific characteristics. For example, if the source IP address of the requests initiates multiple web attacks or targeted directory traversal attacks in a short period of time, WAF automatically blocks the requests. Source IP addresses are also blocked if they are from common scan tools or the Alibaba Cloud library that records malicious IP addresses. You can customize the policies of scan protection as needed.

Notice This topic uses the new version of the WAF console released in January 2020. If the WAF instance was created before January 2020, see IP blocking, Directory traversal protection and Threat intelligence.

Prerequisites

  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.
  • To customize protection policies of high-frequency web attack blocking and directory traversal protection, the billing method of your WAF instance must be either a monthly or annual subscription. The WAF instance must use the Enterprise edition, Ultimate edition or Exclusive edition. The Advanced edition only supports scan protection with the default protection policy.

Background information

The scan protection feature provides high-frequency web attack blocking, directory traversal protection, scan tool blocking, and collaborative protection.

  • High-frequency web attack blocking: Automatically blocks IP addresses that initiate multiple web attacks in a short period of time. If the number of web attacks initiated by a client IP address exceeds a certain number, the access requests from this IP address are blocked for a certain time period. You can customize the protection policies of high-frequency web attack blocking. You can manually unblock a blocked IP address.
  • Directory traversal protection: Automatically blocks client IP addresses that initiate multiple directory traversal attacks in a short period of time. If the total number of requests initiated by a client IP address exceeds a certain number and the proportion of the 404 HTTP status code exceeds a certain proportion, the access requests from this IP address are blocked for a certain time period. You can customize the protection policies of directory traversal protection. You can manually unblock a blocked IP address.
  • Scan tool blocking: Automatically blocks access requests from IP addresses of common scan tools. Blocked scan tools include: Sqlmap, AWVS, Nessus, Appscan, Webinspect, Netsparker, and NiktoRsas.
  • Collaborative protection: Automatically blocks access requests from IP addresses in the Alibaba Cloud library that records malicious IP addresses.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click the Access Control/Throttling tab, and find Scan Protection in the Access Control/Throttling module to complete the following settings.Scan protection
    • Blocking IPs Initiating High-frequency Web Attacks: Enable or disable high-frequency web attack blocking.
      To configure the protection policies of high-frequency web attack blocking, follow these steps:
      1. Enable high-frequency web attack blocking.
      2. Click Settings.
      3. In the Rule Setting dialog box, set the following parameters: Inspection Time Range (seconds), The number of attacks exceeds (times), Blocked IP Addresses (seconds). Rule settings

        Rule definition: If the number of web attacks initiated by a client IP address in the specified Inspection Time Range exceeds the specified number (The number of attacks exceeds), the access requests from this IP address are blocked for the specified time period (Blocked IP Addresses).

        Note We recommend that you use Mode and choose a built-in configuration mode from Flexible Mode, Strict Mode, and Normal Mode. You can adjust the parameters as needed.
      4. Click Confirm.

      Unblock a blocked IP address: Click Unblock IP Address to unblock the target IP address.

    • Directory traversal protection: Enable or disable directory traversal protection.
      To configure the protection policies of directory traversal protection, follow these steps:
      1. Enable directory traversal protection.
      2. Click Settings.
      3. In the Rule Settingdialog box, set the following parameters: Inspection Time Range (seconds), The total requests exceed (times), And the percentage of responses with 404 exceeds (%), Blocked IP Addresses (seconds), andDirectory number. Rule settings

        Rule definition: If within the specified Inspection Time Range, the total requests initiated by a client IP address exceeds the specified number (The total requests exceed) and the proportion of the 404 HTTP status code exceeds the specified proportion, the access requests from this IP address are blocked for the specified time period (Blocked IP Addresses). If the requested Directory number exceeds the specified number, the requests are also blocked for the specified time period (Blocked IP Addresses).

        Note We recommend that you use Mode and choose a built-in configuration mode from Flexible Mode, Strict Mode, and Normal Mode. You can adjust the parameters as needed.
      4. Click Confirm.

      Unblock a blocked IP address: Click Unblock IP Address to unblock the target IP address.

    • Scanning Tool Blocking: Enable or disable scan tool blocking.

      After you enable scan tool blocking, common scan tool behaviors are identified. If the behaviors of an access request match scan behaviors, this access request is always blocked. If you disable scan tool blocking, scan activities are no longer blocked.

    • Collaborative Defense: Enable or disable collaborative protection.

      After you enable collaborative protection, the access requests are blocked if they are initiated by the IP addresses from the Alibaba Cloud library that records malicious IP addresses.