All Products
Search
Document Center

Web Application Firewall:Configure data risk control

Last Updated:Feb 20, 2024

After you add a website to Web Application Firewall (WAF), you can enable data risk control for the website. Data risk control is used to protect crucial website services against attacks. These services include registrations, logons, campaigns, and forums. This topic describes how to configure data risk control rules based on your business requirements.

Background information

The data risk control feature is developed based on the big data technologies of Alibaba Cloud. The feature uses risk decision engines and CAPTCHA verification to protect crucial services against attacks in various scenarios. To use data risk control, you need to only add your website to WAF. You do not need to configure servers or clients.

Data risk control is suitable for a wide range of scenarios, including spam user registration, SMS flood attacks, credential stuffing attacks, brute-force attacks, auto-purchase bots, promotion abuse, snatcher bots, vote manipulation, and spam.

The following figure shows how data risk control protects your website. For more information about the scenarios and protection effects of data risk control, see Examples.

image

Compatibility

Data risk control is suitable only for web pages or HTML5 environments. In some cases, the JavaScript plug-in that is inserted into web pages may be incompatible with the web pages. This results in errors in slider CAPTCHA verification. The following web pages may encounter compatibility issues:

  • Static web pages that you can visit by using URLs and web pages to which you can be redirected by modifying location.href, or by using the window.open method or the anchor tag <a>. The static web pages include HTML details pages, shared pages, website homepages, and documents.

  • Web pages on which you rewrite and commit code and web pages on which you submit custom requests, such as submitting forms, rewriting XMLHttpRequest (XHR), and sending custom Ajax requests.

  • Web pages whose code uses webhooks.

After you enable data risk control, we recommend that you select the warn mode and use data risk control together with the Simple Log Service for WAF feature. This allows you to run a compatibility test. For more information, see Overview of the Simple Log Service for WAF feature.

To protect native apps, we recommend that you use the Anti-Bot SDK. For more information, see Configure application protection.

Prerequisites

  • A WAF instance that meets the following requirements is purchased:

    • The instance is deployed in the Chinese mainland.

    • The bot management module is enabled.

  • Your website is added to WAF. For more information, see Tutorial.

Important

WAF provides the scenario-specific configuration feature. You can configure anti-crawler rules based on your business requirements to protect your business from malicious crawlers. If you want to protect your website against malicious crawlers, we recommend that you use the scenario-specific configuration feature. For more information, see Overview of scenario-specific configuration. After you configure the anti-crawler rules, you no longer need to configure data risk control rules because the two types of rules can prevent malicious crawlers. Alibaba Cloud no longer provides updates or maintenance for the data risk control feature.

Procedure

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Settings > Website Protection.

  3. In the upper part of the Website Protection page, select the domain name for which you want to configure a website protection whitelist from the Switch Domain Name drop-down list.切换域名

  4. On the Bot Management tab, find the Data Risk Control section and click Configure Now.

    Parameter

    Description

    Status

    The switch that you can use to enable or disable data risk control. After you enable data risk control for a website, WAF inserts a JavaScript plug-in into specific or all web pages of the website. Data on the web pages is returned to users as compressed files that are not in the GZIP format. No further configurations are required regardless of whether your website uses non-standard ports.

    Note
    • If you want to configure the Mode parameter and protection rules, enable data risk control.

    • After data risk control is enabled, all requests that are destined for your website are checked. You can configure a whitelist for the bot management module. This way, the requests that match the rule can bypass the check. For more information, see Configure a whitelist for Bot Management.

    Mode

    The mode for data risk control. Valid values:

    • Strict Interception: If WAF detects that your website is under attack, requests are required to pass strict multi-factor authentication.

    • Block: If WAF detects that your website is under attack, requests are required to pass multi-factor authentication.

    • Warn: If WAF detects that your website is under attack, requests are forwarded to your website. However, logs that are related to the requests are generated. You can view the log details in risk reports.

      Note

      By default, the Mode parameter is set to the Warn mode. In this mode, data risk control does not block requests. However, WAF inserts a JavaScript plug-in into static web pages to analyze client behavior.

  5. Add a data risk control rule.

    1. On the Data Risk Control page, click the Protected URL tab and then click Add Protected URL.

    2. In the Add Protected URL dialog box, enter the URL that you want to protect in the Protection Request URL field. For more information, see Introduction to a protected URL.

    3. Click OK.

    A new URL takes effect in approximately 10 minutes. You can view the new URL in the URL list. You can also modify or delete the URL based on your business requirements.

  6. Optional: Specify the web pages into which you want to insert the JavaScript plug-in.

    Specific code of web pages may be incompatible with the JavaScript plug-in. In this case, we recommend that you insert the JavaScript plug-in only into the pages that are compatible with the plug-in.

    Note

    If the JavaScript plug-in is inserted only into the pages that are compatible with the plug-in, data risk control may fail to obtain all user behavior. This reduces the effectiveness of data risk control.

    1. On the Data Risk Control page, click the Pages to Which JavaScript Plug-in are Inserted tab.

    2. Select Insert JavaScript Plug-in into Specific Pages and click Add Webpage.

      Note

      You can add up to 20 URL paths for the web pages.

    3. In the Add URL dialog box, enter the URL paths of the web pages into which you want to insert the JavaScript plug-in and click OK. The URL paths must start with a forward slash (/).

    After you add the URL paths, data risk control inserts the JavaScript plug-in into all web pages in the URL paths.

After you enable data risk control, you can use the Simple Log Service for WAF feature to view the protection results. For more information, see View protection results.

Introduction to a protected URL

A protected URL is the endpoint that is used to perform service operations. A protected URL is different from the URL of a web page. For example, you have a registration page whose URL is www.aliyundoc.com/new_user. The endpoint that you can use to obtain verification codes is www.aliyundoc.com/getsmscode, whereas the endpoint that you can use to register is www.aliyundoc.com/register.do.

In this example, you must add www.aliyundoc.com/getsmscode and www.aliyundoc.com/register.do to WAF as protected URLs. This way, WAF can protect the URLs from SMS flood attacks and spam user registration. If you add www.aliyundoc.com/new_user as a protected URL, common users are also required to pass slider CAPTCHA verification. This affects user experience.

When you configure a protected URL, take note of the following items:

  • Protected URLs support exact match but not fuzzy match.

    For example, if you add www.aliyundoc.com/test as a protected URL, data risk control filters only the requests that are sent to this URL. Data risk control does not filter the requests that are sent to the subdirectories of this URL.

  • Data risk control protects traffic based on website directories.

    If you add www.aliyundoc.com/book/* as a protected URL, data risk control filters the requests that are sent to the web pages in all subdirectories of www.aliyundoc.com/book. We recommend that you do not configure data risk control to monitor the entire website. If you add www.aliyundoc.com/* as a protected URL, common users are required to pass slider CAPTCHA verification before they can visit the website homepage. This affects user experience.

  • Requests that are sent to a protected URL always trigger slider CAPTCHA verification. Make sure that common users cannot directly request a protected URL. Common users are required to pass multi-factor authentication before they can visit the protected URL.

  • Data risk control does not apply to websites that support API operations. API calls are machine actions and cannot pass the slider CAPTCHA verification of data risk control. However, if a common user clicks a button on a page to call an API operation, data risk control works as expected.

View protection results

You can use the Simple Log Service for WAF feature to view the protection results.

After you enable log collection for a domain name, you can select the Anti-Fraud option in the Advanced Search section on the Log Query tab to view the protection results. For more information, see Query and analyze logs.

Examples

User Tom has a website whose domain name is www.aliyundoc.com. Common users can register as website members at www.aliyundoc.com/register.html. Tom notices that attackers can use malicious scripts to submit registration requests and create accounts. The accounts are used to participate in prize draws that are held by the website. The registration requests are similar to normal requests, and the request rate is maintained at a normal level. In this case, the HTTP flood protection policy cannot identify this type of malicious request.

Sample code

Tom adds the website to WAF and enables data risk control for the www.aliyundoc.com domain name. The URL of the most crucial registration service is www.aliyundoc.com/register.html. Therefore, Tom adds this URL as a protected URL.

Protection results

After the configurations take effect, data risk control inserts a JavaScript plug-in into all web pages of the website. This allows Tom to monitor and analyze the behavior of each user who visits www.aliyundoc.com. The web pages into which a JavaScript plug-in is inserted include the homepage and subpages. Then, data risk control determines whether the behavior of each user is normal. Data risk control also determines whether a source IP address is malicious based on the big data reputation library of Alibaba Cloud.

When a user sends a registration request to www.aliyundoc.com/register.html, WAF determines whether the user is an attacker based on the user behavioral and environmental data that is generated from the time when the user visits the website to the time when the user submits the registration request. For example, if a user directly submits a registration request and does not perform other operations before the request is submitted, the request is identified as suspicious. When you enter a domain name, take note of the following items:

  • If data risk control determines that a request is from a normal user based on the previous behavior of the user, the user can register accounts without the need to pass verification.

  • If data risk control identifies a request as suspicious or the source IP address has a record that the source IP address is used to send malicious requests, slider CAPTCHA verification is triggered to verify the identity of the user. Only a user that passes verification can register accounts.

    If slider CAPTCHA verification captures suspicious user behavior, such as the use of scripts to simulate real user behavior and pass slider CAPTCHA verification, data risk control uses other verification methods to verify the user identity until the user passes verification. Then, the user is identified as a normal user. If the user fails verification, data risk control blocks the request.

During this process, data risk control is enabled for the entire website (www.aliyundoc.com). Data risk control inserts a JavaScript plug-in into all web pages of the website to analyze user behavior. However, protection and verification are required only for www.aliyundoc.com/register.html to which users submit registration requests. Data risk control is triggered only when a registration request is submitted.