edit-icon download-icon

Enable malicious IP penalty

Last Updated: Jan 19, 2018


Web applications are hackers’ favorite targets. Based on the analysis of Alibaba Cloud Security’s big data platform, each Web application that is open to the Internet suffers thousands of Web attacks, every single day. These attacks include:

  • Network-wide and tool-based bulk scanning
  • Targeted tool-based scanning of a specific user
  • Target attacks started and spread manually by the hackers

Traditional web application firewall products function in the IP-URL dimension. After determining whether a request is an attack, they only block this request once. However, malicious attackers may scan and attack your website repeatedly. These attackers observe and detect your website’s vulnerabilities, study the protection policies, and plan attempts to bypass them.

Function description

To address this problem, Alibaba Cloud Security WAF provides the Malicious IP Penalty function. WAF detects and auto blocks the malicious IP addresses, through which the website is attacked repeatedly.

WAF generates judging rules for malicious IP address through the database with a massive amount of malicious IP addresses. This database is backed with the machine learning function of Alibaba Cloud platform that keeps studying and analyzing the attacks and attack frequencies of the malicious IP addresses. When an IP address conducts continuous attacks, WAF auto blocks all access requests from this IP address.


Follow these steps to enable Malicious IP Penalty.

  1. Log on to the Web Application Firewall console and access the Website Configuration page.

  2. Click Policies under the Operation column of the target domain name.

  3. Enable Malicious IP Penalty.

Once the Malicious IP Penalty function is enabled, your website is secured by WAF. It scans the website to detect and auto block the malicious attacks and access requests from it. This action can incur a higher cost to the hacker to start new attacks.


After enabling the Malicious IP Penalty function, you can use the SQLMAP (a hacker tool) to perform SQL injection attack scanning on a protected website. The result is as follows.

SQL injection attack scanning test

Depending on the results, WAF blocks all requests sent from the attacker’s IP address, which prevents further attacks.

With Malicious IP Penalty, WAF effectively blocks attacks from various automatic tools and scanners and safeguards your website.

Thank you! We've received your feedback.