After you add a website to Web Application Firewall (WAF), you can enable the scan
protection function for your website. If you do that, access requests from specific
IP addresses are automatically blocked. These IP addresses include source IP addresses
that initiate high-frequency web attacks and malicious directory traversal attacks,
and IP addresses defined in common scanning tools or the Alibaba Cloud malicious IP
library. You can customize scan protection policies based on your requirements.
Background information
The scan protection function provides the following policies:
- Blocking IPs Initiating High-frequency Web Attacks: automatically blocks client IP
addresses that initiate multiple web attacks within a short period of time. You can
customize the protection policy and manually unblock a blocked IP address.
- Directory Traversal Prevention: automatically blocks client IP addresses that initiate
multiple directory traversal attacks in a short period of time. You can customize
the protection policy and manually unblock a blocked IP address.
- Scanning Tool Blocking: automatically blocks access requests from IP addresses defined
in common scanning tools. The scanning tools include sqlmap, AWVS, Nessus, AppScan,
WebInspect, Netsparker, Nikto, and RSAS.
- Collaborative Defense: automatically blocks access requests from IP addresses in the
Alibaba Cloud malicious IP library.
Procedure
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs
and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, choose .
- In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.

- On the Access Control/Throttling tab, find the Scan Protection section and configure the following settings:

Note By default, all requests destined for your website are checked by scan protection
when any policy in this section is enabled. You can configure a
Access Control/Throttling rule so that requests that match the rule bypass the check. For more information,
see
Configure a whitelist for Access Control/Throttling.
- Blocking IPs Initiating High-frequency Web Attacks: You can enable or disable it.
Configure the protection policy.
- Turn on Blocking IPs Initiating High-frequency Web Attacks.
- Click Settings.
- In the Rule Setting dialog box, specify the following parameters: Inspection Time Range, The number of attacks exceeds, and Blocked IP Addresses.

If the number of web attacks initiated from a client IP address in the specified inspection
time range exceeds a specific number, the access requests from this IP address are
blocked for the specified time range.Inspection Time RangeThe number of attacks exceedsBlocked IP Addresses
Note We recommend that you select a built-in configuration mode from Flexible Mode, Strict Mode, and Normal Mode in the Mode section. You can modify the parameters based on your requirements.
- Click Confirm.
You can click Unblock IP Address to unblock IP addresses that are blocked by the policy.
- Directory Traversal Prevention: You can enable or disable it.
Configure the protection policy.
- Turn on Directory Traversal Prevention.
- Click Settings.
- In the Rule Settingdialog box, specify the following parameters: Inspection Time Range, The total requests exceed, And the percentage of responses with 404 exceeds, Blocked IP Addresses, and Directory number.

If the total number of requests initiated from a client IP address in the specified
inspection time range exceeds a specific number and the proportion of the requests
for which the HTTP status code 404 is returned to the total requests exceeds a specific
proportion, or the number of directories to which requests are sent within the specified
inspection time range exceeds a specific number, the access requests from this IP
address are blocked for the specified time range.Inspection Time RangeThe total requests exceedInspection Time RangeBlocked IP Addresses
Note We recommend that you select a built-in configuration mode from Flexible Mode, Strict Mode, and Normal Mode in the Mode section. You can modify the parameters based on your requirements.
- Click Confirm.
You can click Unblock IP Address to unblock IP addresses that are blocked by the policy.
- Scanning Tool Blocking: You can enable or disable it.
After you enable Scanning Tool Blocking, the behaviors of common scanning tools are
automatically detected. If an access request meets the characteristics of scanning,
this request is always blocked. If you disable Scanning Tool Blocking, scanning behaviors
are no longer blocked.
- Collaborative Defense: You can enable or disable it.
After you enable Collaborative Defense, all access requests from the IP addresses
in the Alibaba Cloud malicious IP library are blocked.