edit-icon download-icon

Customize HTTP flood protection

Last Updated: Jan 23, 2018

Function description

The Business and Enterprise Editions of WAF support customizing HTTP flood protection. The frequency of certain URLs can be restricted from accessing your server by applying custom protection rules in the console. For example, you can set the following rule: when a single source IP address accesses www.abc.com/login.html for more than 20 times within 10 seconds, block this IP address for one hour.


Follow these steps to customize HTTP Flood Protection rules:

  1. Log on to the Web Application Firewall console and access the Website Configuration page.

  2. Click Policies under the Operation column of the target domain name.

  3. Enable Custom Rules under HTTP Flood Protection, and then click Settings to configure custom rules.

  4. Click New Rule to add a rule. The parameters include:

    • URI: specifies the target URI path (for example, /register). The path can contain parameters connected by “?”. For example, you can use /user?action=login.
    • Matching rules: Exact Match or URI Path Match.
      • For Exact Match, or precise match, the request URI must be exactly the same as the configured URI here to get counted.
      • For URI Path Match, or inclusive match, when the request URI starts with the URI value configured here, the request is counted. For example, /register.html is counted if you use /register as the URI.
    • Interval: specifies the cycle for calculating the number of visits. It works in sync with the Visits from one single IP address.
    • Visits from one single IP address: specifies the number of visits allowed from a single source IP address to the URL during the Interval.
    • Blocking type: specifies the operation to be performed after the conditions are met. The operations can be Block or Human-Machine Identification.
      • Block: to block accesses from the client after the conditions are met.
      • Man-Machine Identification: to access the client with redirection after the conditions are met. Only the verified requests are sent back to the origin.
    • Blocking time: specifies the time period (in minutes) required to block the access.

    custom http flood protection rule

    If you consider the configurations in the preceding figure, a single IP address can access the target address (Exact Match) more than 20 times in 10 seconds, after which the IP access is blocked for 600 minutes.

Thank you! We've received your feedback.