BatchCreateDcdnWafRules - Edge Security Acceleration - Alibaba Cloud Documentation Center

Operation description

Note

The call frequency for this operation is limited to 20 calls per second for each user.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

dcdn:BatchCreateDcdnWafRules

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
PolicyId	integer	Yes	The ID of the mitigation policy.	1000001
RuleConfigs	string	Yes	The configurations of the mitigation rules.	[{"name":"example","action":"monitor","conditions":[{"key":"URL","opValue":"match-one","values":"1,2,3,4,5"},{"key":"Header","opValue":"contain-one","subKey":"example_subkey","values":"6,7,8,9,10"}],"ratelimit":{"target":"header","interval":10,"threshold":5,"ttl":1800,"subKey":"example_subkey","status":{"code":"502","count":5}},"ccStatus":"on","effect":"rule","status":"on"}]

Description of RuleConfigs

RuleConfigs is an array of objects. Each object represents a rule.
The format of RuleConfigs varies based on the mitigation policy type that is associated with the PolicyId.

Scenario 1: WAF (waf_group)

Parameter	Type	Required	Example	Description
status	String	No	on	The status of the rule. Valid values: on and off. The default value is on.
action	String	Yes	block	The action of the rule. Valid values: block and monitor.
wafGroupIds	String	No	1012	The ID of the WAF rule group. The default value is 1012. Separate multiple IDs with commas (,).

Example of waf_group configurations:

// A WAF policy supports only one rule.
[
  {
    "status": "on",
    "action": "block"
  }
]

Scenario 2: Custom rules (custom_acl)

Name	Type	Required	Example	Description
name	string	Yes	acl_1	The name of the rule. The name can contain lowercase letters, uppercase letters, digits (0 to 9), and underscores (_). The name can be up to 64 characters long.
status	string	No	on	Valid values: on and off. The default value is on.
conditions	Condition	Yes	[ {"key": "URI", "subKey": "","opValue": "contain", "values": "/login.php" }]	The conditions that trigger the rule. For more information about the parameters, see Table 1. Condition parameters.
ccStatus	string	Yes	off	Specifies whether to enable rate limiting. Valid values: on and off.
rateLimit	RateLimit	No	{ "target": "Header", "subKey": "User-Agent", "interval": 5, "threshold": 2, "ttl": 1800}	The rate limiting rule. This parameter is required if ccStatus is set to on. For more information about the parameters, see Table 2. RateLimit parameters.
effect	string	No	service	The scope of the rate limiting blacklist. This parameter is required if ccStatus is set to on. Valid values: rule (the current rule) and service (global).
action	string	Yes	deny	The action of the rule. Valid values: deny, js (JavaScript Challenge), and monitor.

Table 1. Condition parameters

Name	Type	Required	Example	Description
Key	string	Yes	Query String Parameter	The match field. For more information, see DescribeDcdnWafFilterInfo.
subKey	string	No	action	The match subfield. For more information, see DescribeDcdnWafFilterInfo.
opValue	String	Yes	eq	The logical operator. For more information, see DescribeDcdnWafFilterInfo.
values	String	No	js	The match content. Separate multiple values with commas (,). For more information, see DescribeDcdnWafFilterInfo.

Table 2. RateLimit parameters

Name	Type	Required	Example	Description
target	string	Yes	Header	The field used for rate limiting statistics. Valid values: IP (requests from the same IP address), Header (requests that contain a specified header), Query String Parameter (requests that contain a specified parameter), Cookie Name (requests that contain a specified cookie), and Session (requests from the same session).
subKey	string	No	User-Agent	The subfield of the statistical field. This parameter is required if target is set to Header, Query String Parameter, or Cookie Name.
Interval	Integer	Yes	5	The statistical period. Valid values: 5 to 1800. Unit: seconds.
threshold	Integer	Yes	2	The statistical threshold. Valid values: 2 to 50000. Unit: times.
ttl	Integer	Yes	1800	The timeout period for the blacklist. Valid values: 60 to 86400. Unit: seconds.
status	RateLimitStatus	No	{"code": "404", "ratio": 10}	Response code statistics. For more information about the parameters, see Table 3. RateLimitStatus parameters.

Table 3. RateLimitStatus parameters

Name	Type	Required	Example	Description
code	string	Yes	404	The HTTP status code.
ratio	Integer	No	10	The percentage of requests that trigger the rule. Valid values: 1 to 100. You can specify either this parameter or count.
count	Integer	No	10	The number of requests that trigger the rule. Valid values: 2 to 50000. You can specify either this parameter or ratio.

Example of custom_acl configurations:

[
  // Access control
  {
    "name": "acl_1",
    "status": "off",
    "conditions":
    [
      {
        "key": "Query String Parameter",
        "subKey": "action",
        "opValue": "eq",
        "values": "js"
      }
    ],
    "ccStatus": "off",
    "action": "js"
  },
  // Rate limiting
  {
    "name": "cc_1",
    "status": "on",
  	"conditions": 
    [
      {
        "key": "URI",
        "subKey": "",
        "opValue": "contain",
        "values": "/login.php"
      },
      {
        "key": "IP",
        "subKey": "",
        "opValue": "ip-contain",
        "values": "192.168.0.1/24"
      }
    ],
    "ccStatus": "on",
    "ratelimit":
    {
      "target": "Header",
      "subKey": "User-Agent",
      "interval": 5,
      "threshold": 2,
      "ttl": 1800,
      "status":
      {
        "code": "404",
        "ratio": 10
      }
    },
    "effect": "service",
    "action": "deny"
  }
]

Scenario 3: Whitelist (whitelist)

Name	Type	Required	Example	Description
name	string	Yes	on	The name of the rule. The name can contain lowercase letters, uppercase letters, digits (0 to 9), and underscores (_). The name can be up to 64 characters long.
status	string	No	on	The status of the rule. Valid values: on (default) and off.
conditions	Condition	Yes	[{ "key": "Http-Method","subKey": "","opValue": "match-one", "values": "GET,POST,DELETE" }]	The conditions that trigger the rule. For more information about the parameters, see Table 1. Condition parameters.
tags	String	Yes	[ "waf_group", "custom_acl"]	A list of mitigation policy types.
regularTypes	String	No	[ [ "sqli", "xss","code_exec", "crlf", "lfilei", "rfilei", "webshell","vvip", "other"]	The type of the regular expression rule. This parameter is available if waf_group is specified for tags. Valid values: "sqli", "xss", "code_exec", "crlf", "lfilei", "rfilei", "webshell", "vvip", and "other".
regularRules	String	No	[ "100001", "100002", "100003"]	The regular expression rule. This parameter is available if waf_group is specified for tags. You can specify either this parameter or regularTypes. The value is a list of six-digit numbers in a string format.

Example of whitelist configurations:

[
  // Skip all scenarios
  {
    "name": "wl_all",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "waf_group",
      "custom_acl",
      "ip_blacklist",
      "region_block"
    ]
  },
  // Skip specified rule IDs for waf_group
  {
    "name": "wl_waf_id",
    "status": "off",
    "conditions":
    [
      {
        "key": "Cookie Name",
        "subKey": "cdn-sec",
        "opValue": "prefix-match",
        "values": "a7sdsa9dsa8d8sa"
      },
      {
        "key": "Referer",
        "subKey": "",
        "opValue": "none",
        "values": ""
      }
    ],
    "tags":
    [
      "waf_group"
    ],
    "regularRules":
    [
      "100001",
      "100002",
      "100003"
    ]
  },
  {
  // Skip specified rule types for waf_group
    "name": "wl_waf_type",
    "status": "on",
    "conditions":
    [
      {
        "key": "Query String",
        "subKey": "",
        "opValue": "exists",
        "values": ""
      }
    ],
    "tags":
    [
      "waf_group"
    ],
    "regularTypes":
    [
      "sqli",
      "xss",
      "code_exec",
      "crlf",
      "lfilei",
      "rfilei",
      "webshell",
      "vvip",
      "other"
    ]
  },
  // Skip custom rules
  {
    "name": "wl_custom_acl",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "custom_acl"
    ]
  },
  // Skip the IP blacklist
  {
    "name": "wl_ip_blacklist",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "ip_blacklist"
    ]
  },
  // Skip the location blacklist
  {
    "name": "wl_region_block",
    "status": "on",
    "conditions":
    [
      {
        "key": "Http-Method",
        "subKey": "",
        "opValue": "match-one",
        "values": "GET,POST,DELETE"
      }
    ],
    "tags":
    [
      "region_block"
    ]
  }
]

Scenario 4: IP blacklist (ip_blacklist)

Name	Type	Required	Example	Description
name	string	Yes	ipblacklist	The name of the rule. The name can contain lowercase letters, uppercase letters, digits (0 to 9), and underscores (_). The name can be up to 64 characters long.
status	string	No	on	The status of the rule. Valid values: on and off. The default value is on.
remoteAddr	[]String	Yes	["192.168.0.1","10.10.10.10/24","::1","abcd::abcd","BCDE::BCDE"]	The IP addresses to filter. For more information, see DescribeDcdnWafFilterInfo.
action	string	Yes	deny	The action of the rule. Valid values: deny and monitor.

Example of ip_blacklist configurations:

[
    {
    "name": "ipblacklist",
    "status": "on",
    "remoteAddr": ["192.168.0.1","10.10.10.10/24","::1","abcd::abcd","BCDE::BCDE"],
    "action": "deny"
  }
]

Scenario 5: Location blacklist (region_block)

Name	Type	Required	Example	Description
status	string	No	on	The status of the rule. Valid values: on and off. The default value is on.
cnRegionList	string	No	110000,TW,MO	The regions in mainland China to block. Separate multiple regions with commas (,). For more information about the supported regions, see DescribeDcdnWafGeoInfo.
otherRegionList	string	No	JP,GB	The regions outside mainland China to block. Separate multiple regions with commas (,). For more information about the supported regions, see DescribeDcdnWafGeoInfo.
action	string	Yes	deny	The action of the rule. Valid values: deny and monitor.

Note

You must specify at least one of cnRegionList and otherRegionList.

Example of region_block configurations:

[
    {
    "status": "on",
    "cnRegionList": "110000,TW,MO",
    "otherRegionList": "JP,GB",
    "action": "deny"
  }
]

Scenario 6: Bot management (bot)

Rule template

All rules include the following four parameters. For more information about the valid values, see the description of each rule classification.

Parameter	Type	Required	Description
type	String	Yes	The type of the rule. For more information, see the specific rule classification.
status	String	Yes	The status of the rule. Valid values: on and off.
config	TargetType	No	The rule configurations. For more information, see the specific rule classification.
action	String	No	The action of the rule. For more information, see the specific rule classification.

Rule classification 1: Protected object type

Parameter	Type	Required	Example	Description
type	String	Yes	target_type	The type of the rule. Set the value to target_type.
status	String	Yes	on	The status of the rule. Set the value to on.
config	TargetType	No	{"target":"app"}	The rule configurations. Format: target: The protected object type. This parameter is required. Valid values: web and app.
action	String	No	empty	The action of the rule. This parameter is not applicable. Leave it empty.

Example of protected object type configurations:

[
  {
    "type":"target_type",
    "status":"on",
    "config":{"target":"app"},
    "action":""
  }
]

Rule classification 2: Web SDK integration

Parameter	Type	Required	Example	Description
type	String	Yes	web_sdk	The type of the rule. Set the value to web_sdk.
status	String	Yes	on	The status of the rule. Set the value to on.
config	WebSdk	No	{"mode":"automatic","crossDomain":"example.com"}	The rule configurations. Format: mode: The integration mode of the web software development kit (SDK). This parameter is required. Valid values: automatic and manual. crossDomain: The cross-domain domain name for the call. This parameter is optional and takes effect only if mode is set to automatic.
action	String	No	empty	The action of the rule. This parameter is not applicable. Leave it empty.

Example of Web SDK integration configurations:

[
  {
    "type":"web_sdk",
    "status":"on",
    "config":{"mode":"automatic","crossDomain":"example.com"},
    "action":""
  }
]

Rule classification 3: Protected object feature

Parameter	Type	Required	Example	Description
type	String	Yes	traffic_feature	The type of the rule. Set the value to traffic_feature.
status	String	Yes	on	The status of the rule. Set the value to on.
config	TrafficFeature	Yes	{"conditions":[{"key":"Header","subKey":"User-Agent","opValue":"contain","values":"Chrome"},{"key":"IP","subKey":"","opValue":"ip-contain","values":"192.168.0.1/24"}]}	The rule configurations. For more information, see condition.
action	String	No	empty	The action of the rule. This parameter is not applicable. Leave it empty.

condition (match conditions)

Parameter	Type	Required	Example	Description
key	String	Yes	Header	The match field. For more information, see DescribeDcdnWafFilterInfo.
subKey	String	No	User-Agent	The match subfield. For more information, see DescribeDcdnWafFilterInfo.
opValue	String	Yes	contain	The operator. For more information, see DescribeDcdnWafFilterInfo.
values	String	No	Chrome	The match content. Separate multiple values with commas (,). For more information, see DescribeDcdnWafFilterInfo.

Example of protected object feature configurations:

[
  {
    "type":"traffic_feature",
    "status":"on",
    "config":{"conditions":[{"key":"Header","subKey":"User-Agent","opValue":"contain","values":"Chrome"},{"key":"IP","subKey":"","opValue":"ip-contain","values":"192.168.0.1/24"}]},
    "action":""
  }
]

Rule classification 4: Legitimate bot management

Parameter	Type	Required	Example	Description
type	String	Yes	intelligence_crawler	The type of the rule. Set the value to intelligence_crawler.
status	String	Yes	on	The status of the rule. Set the value to on.
config	IntelligenceCrawler	No	{"name":"intelligence_crawler_baidu"}	The rule configurations. For more information, see name (search engine spider whitelist).
action	String	Yes	bypass	The action of the rule. Set the value to bypass.

name (search engine spider whitelist)

Parameter value	Meaning
intelligence_crawler_all	Legitimate search engine whitelist (Google, Bing, Baidu, Sogou, 360, and Yandex)
intelligence_crawler_baidu	Baidu spider whitelist
intelligence_crawler_sogou	Sogou spider whitelist
intelligence_crawler_360	360 spider whitelist
intelligence_crawler_google	Google spider whitelist
intelligence_crawler_bing	Bing spider whitelist
intelligence_crawler_yandex	Yandex spider whitelist

Example of legitimate bot management configurations:

[
  {
    "type":"intelligence_crawler",
    "status":"on",
    "config":{"name":"intelligence_crawler_baidu"},
    "action":"bypass"
  },
  {
    "type":"intelligence_crawler",
    "status":"on",
    "config":{"name":"intelligence_crawler_google"},
    "action":"bypass"
  }
]

Rule classification 5: Simple script filtering (JavaScript Challenge)

Parameter	Type	Required	Example	Description
type	String	Yes	js	The type of the rule. Set the value to js.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	Js	No	empty	The rule configurations. This parameter is not applicable. Leave it empty.
action	String	Yes	js	The action of the rule. Set the value to js (JavaScript Challenge).

Example of simple script filtering (JavaScript Challenge) configurations:

[
  {
    "type":"js",
    "status":"on",
    "config":{},
    "action":"js"
  }
]

Rule classification 6: Advanced bot defense (dynamic token challenge)

Parameter	Type	Required	Example	Description
type	String	Yes	sigchl	The type of the rule. Set the value to sigchl.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	Sigchl	No	{"sigchl":["sig","replay","driver"]}	The rule configurations. Format: sigchl: The request data signature verification. This parameter is required. Valid values: sig (abnormal signature), replay (abnormal timestamp), and driver (WebDriver attack).
action	String	Yes	sigchl	The action of the rule. Set the value to sigchl (block).

Example of advanced bot defense (dynamic token challenge) configurations:

[
  {
    "type":"sigchl",
    "status":"on",
    "config":{"sigchl":["sig","replay","driver"]},
    "action":"sigchl"
  }
]

Rule classification 7: AI-powered protection

Parameter	Type	Required	Example	Description
type	String	Yes	algorithm	The type of the rule. Set the value to algorithm.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	Algorithm	No	empty	The rule configurations. This parameter is not applicable. Leave it empty.
action	String	Yes	captcha	The action of the rule. Valid values: monitor and captcha (slider CAPTCHA).

Example of AI-powered protection configurations:

[
  {
    "type":"algorithm",
    "status":"on",
    "config":{},
    "action":"captcha"
  }
]

Rule classification 8: IP rate limiting

Parameter	Type	Required	Example	Description
type	String	Yes	custom_cc_ip	The type of the rule. Set the value to custom_cc_ip.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	CustomCcIp	Yes	{"interval":20,"target":"IP","threshold":50,"ttl":2800}	The rule configurations. For more information, see IP rate limiting config parameters.
action	String	Yes	monitor	The action of the rule. Valid values: deny, monitor, and captcha (slider, for web only).

IP rate limiting configuration parameters

Parameter	Type	Required	Example	Description
target	String	Yes	IP	The statistical field for rate limiting. Set the value to IP.
subKey	String	No	empty	The subfield of the statistical field. This parameter is not applicable. Leave it empty.
Interval	Integer	Yes	20	The statistical period. Valid values: 5 to 1800. Unit: seconds.
threshold	Integer	Yes	50	The statistical threshold. Valid values: 2 to 50000. Unit: times.
ttl	Integer	Yes	2800	The timeout period for the blacklist. Valid values: 60 to 86400. Unit: seconds.

Example of IP rate limiting configurations:

[
  {
    "type":"custom_cc_ip",
    "status":"on",
    "config":{"interval":20,"target":"IP","threshold":50,"ttl":2800},
    "action":"monitor"
  },
  {
    "type":"custom_cc_ip",
    "status":"on",
    "config":{"interval":10,"target":"IP","threshold":30,"ttl":1800},
    "action":"monitor"
  }
]

Rule classification 9: Device rate limiting

Parameter	Type	Required	Example	Description
type	String	Yes	custom_cc_dev	The type of the rule. Set the value to custom_cc_dev.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	CustomCcDev	Yes	{"interval":20,"target":"Header","subKey":"aliwaf_wxbb_umid","threshold":50,"ttl":2800}	The rule configurations. For more information, see Device rate limiting config parameters.
action	String	Yes	monitor	The action of the rule. Valid values: deny and monitor.

Device rate limiting configuration parameters

Parameter	Type	Required	Example	Description
target	String	Yes	Header	The statistical field for rate limiting. Set the value to Header.
subKey	String	No	aliwaf_wxbb_umid	The subfield of the statistical field. Set the value to aliwaf_wxbb_umid.
Interval	Integer	Yes	20	The statistical period. Valid values: 5 to 1800. Unit: seconds.
threshold	Integer	Yes	50	The statistical threshold. Valid values: 2 to 50000. Unit: times.
ttl	Integer	Yes	2800	The timeout period for the blacklist. Valid values: 60 to 86400. Unit: seconds.

Example of device rate limiting configurations:

[
  {
    "type":"custom_cc_dev",
    "status":"on",
    "config":{"interval":20,"target":"Header","subKey":"aliwaf_wxbb_umid","threshold":50,"ttl":2800},
    "action":"monitor"
  },
  {
    "type":"custom_cc_dev",
    "status":"on",
    "config":{"interval":20,"target":"Header","subKey":"aliwaf_wxbb_umid","threshold":50,"ttl":2800},
    "action":"deny"
  }
]

Rule classification 10: Custom session rate limiting

Parameter	Type	Required	Example	Description
type	String	Yes	custom_cc	The type of the rule. Set the value to custom_cc.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	CustomCcIp	Yes	{"interval":10,"target":"Query String Parameter","subKey":"arg","threshold":30,"ttl":1800}	The rule configurations. For more information, see Custom session rate limiting config parameters.
action	String	Yes	monitor	The action of the rule. Valid values: deny, monitor, and captcha (slider, for web only).

Custom session rate limiting configuration parameters

Parameter	Type	Required	Example	Description
target	String	Yes	Query String Parameter	The field used for rate limiting statistics. Valid values: Header (requests that contain a specified header), Query String Parameter (requests that contain a specified parameter), Cookie Name (requests that contain a specified cookie), and Session (requests from the same session).
subKey	String	No	arg	The subfield of the statistical field. This is a custom field.
Interval	Integer	Yes	10	The statistical period. Valid values: 5 to 1800. Unit: seconds.
threshold	Integer	Yes	30	The statistical threshold. Valid values: 2 to 50000. Unit: times.
ttl	Integer	Yes	2800	The timeout period for the blacklist. Valid values: 60 to 86400. Unit: seconds.

Example of custom session rate limiting configurations:

[
  {
    "type":"custom_cc",
    "status":"on",
    "config":{"interval":10,"target":"Query String Parameter","subKey":"arg","threshold":30,"ttl":1800},
    "action":"deny"
  },
  {
    "type":"custom_cc",
    "status":"on",
    "config":{"interval":10,"target":"Query String Parameter","subKey":"arg","threshold":30,"ttl":1800},
    "action":"captcha"
  }
]

Rule classification 11: Bot threat intelligence library

Parameter	Type	Required	Example	Description
type	String	Yes	intelligence	The type of the rule. Set the value to intelligence.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	Intelligence	No	empty	The rule configurations. This parameter is not applicable. Leave it empty.
action	String	Yes	captcha	The action of the rule. Valid values: monitor and captcha (slider CAPTCHA).

Example of bot threat intelligence library configurations:

[
  {
    "type":"intelligence",
    "status":"on",
    "config":{},
    "action":"captcha"
  }
]

Rule classification 12: IDC blacklist blocking

Parameter	Type	Required	Example	Description
type	String	Yes	intelligence_idc	The type of the rule. Set the value to intelligence_idc.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	IntelligenceIdc	Yes	{"name":"intelligence_idc_alibaba"}	The rule configurations. For more information, see name parameters.
action	String	Yes	captcha	The action of the rule. Valid values: deny, monitor, and captcha (slider CAPTCHA).

name parameters

Parameter value	Meaning
intelligence_idc_alibaba	IDC IP library - Alibaba Cloud
intelligence_idc_tencent	IDC IP library - Tencent Cloud
intelligence_idc_mtyun	IDC IP library - Meituan Cloud
intelligence_idc_vnet	IDC IP library - 21Vianet
intelligence_idc_other	IDC IP library - Other

Example of IDC blacklist blocking configurations:

[
  {
    "type":"intelligence_idc",
    "status":"on",
    "config":{"name":"intelligence_idc_alibaba"},
    "action":"captcha"
  },
  {
    "type":"intelligence_idc",
    "status":"on",
    "config":{"name":"intelligence_idc_tencent"},
    "action":"captcha"
  }
]

Rule classification 13: Forged spider blocking

Parameter	Type	Required	Example	Description
type	String	Yes	intelligence_fake_crawler	The type of the rule. Set the value to intelligence_fake_crawler.
status	String	Yes	on	The status of the rule. Valid values: on and off.
config	IntelligenceFakeCrawler	No	empty	The rule configurations. This parameter is not applicable. Leave it empty.
action	String	Yes	deny	The action of the rule. Set the value to deny.

Example of forged spider blocking configurations:

[
  {
    "type": "intelligence_fake_crawler",
    "status": "on",
    "config":{},
    "action": "deny"
  }
]

Rule classification 14: Bot feature detection

Parameter	Type	Required	Example	Description
type	String	Yes	app_sdk	The type of the rule. Set the value to app_sdk.
status	String	Yes	on	The status of the rule. Set the value to on.
config	AppSdk	Yes	{"featureAbnormal":["simulator","proxy","root","debugged","hook","virtual","antiReplay","signInvalid"],"customSignStatus":"on","customSign":{"key":"header","value":"ua"}}	The rule configurations. For more information, see Bot feature detection config parameters.
action	String	Yes	monitor	The action of the rule. Valid values: deny and monitor.

Bot feature detection configuration parameters

Parameter	Type	Required	Example	Description
featureAbnormal	[]String	Yes	simulator	signInvalid: The app signature is abnormal. antiReplay: The signature is expired. simulator: An emulator is used. proxy: A proxy is used. root: The device is rooted. debugged: Debug mode is enabled. hook: The app is hooked. virtual: The app is multi-opened.
customSignStatus	String	No	on	Specifies whether to enable the custom signing field. Valid values: on and off.
customSign	CustomSign	No	{"key":"header","value":"ua"}	The custom signing field. Format: key: The field name. This parameter is required. Valid values: header, arg, and cookie. value: The field value. This parameter is required.

Example of bot feature detection configurations:

[
  {
    "type": "app_sdk",
    "status": "on",
    "config": {"featureAbnormal":["simulator","proxy","root","debugged","hook","virtual","antiReplay","signInvalid"],"customSignStatus":"on","customSign":{"key":"header","value":"ua"}},
    "action": "monitor"
  }
]

Rule classification 15: Advanced mitigation (repackaging detection)

Parameter	Type	Required	Example	Description
type	String	Yes	app_package	The type of the rule. Set the value to app_package.
status	String	Yes	on	The status of the rule. Set the value to on.
config	AppPackage	No	{"packageSigns":[{"name":"aaaaa","sign":"bbbb"},{"name":"cccc","sign":"dddd"}]}	The rule configurations. For more information, see packageSigns parameters.
action	String	Yes	monitor	The action of the rule. Valid values: deny and monitor.

packageSigns parameters

Parameter	Type	Required	Example	Description
name	String	Yes	aaaaa	The legitimate package name.
sign	String	No	bbbb	The package signature.

Example of advanced mitigation (repackaging detection) configurations:

[
  {
    "type": "app_package",
    "status": "on",
    "config": {"packageSigns":[{"name":"aaaaa","sign":"bbbb"},{"name":"cccc","sign":"dddd"}]},
    "action": "deny"
  }
]

Example of combined parameter configurations for bot management on web pages or browsers

[
    {
        "type": "target_type",
        "status": "on",
        "config":
        {
            "target": "web"
        },
        "action": ""
    },
    {
        "type": "web_sdk",
        "status": "on",
        "config":
        {
            "mode": "automatic",
            "crossDomain": "example.com"
        },
        "action": ""
    },
    {
        "type": "traffic_feature",
        "status": "on",
        "config":
        {
            "conditions":
            [
                {
                    "key": "Header",
                    "subKey": "User-Agent",
                    "opValue": "contain",
                    "values": "Chrome"
                },
                {
                    "key": "IP",
                    "subKey": "",
                    "opValue": "ip-contain",
                    "values": "192.168.0.1/24"
                }
            ]
        },
        "action": ""
    },
    {
        "type": "intelligence_crawler",
        "status": "on",
        "config":
        {
            "name": "intelligence_crawler_baidu"
        },
        "action": "bypass"
    },
    {
        "type": "intelligence_crawler",
        "status": "on",
        "config":
        {
            "name": "intelligence_crawler_google"
        },
        "action": "bypass"
    },
    {
        "type": "js",
        "status": "on",
        "config":
        {},
        "action": "js"
    },
    {
        "type": "sigchl",
        "status": "on",
        "config":
        {
            "sigchl":
            [
                "sig",
                "replay",
                "driver"
            ]
        },
        "action": "sigchl"
    },
    {
        "type": "algorithm",
        "status": "on",
        "config":
        {},
        "action": "captcha"
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "IP",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "IP",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "deny"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "captcha"
    },
    {
        "type": "intelligence",
        "status": "on",
        "config":
        {},
        "action": "captcha"
    },
    {
        "type": "intelligence_idc",
        "status": "on",
        "config":
        {
            "name": "intelligence_idc_alibaba"
        },
        "action": "captcha"
    },
    {
        "type": "intelligence_idc",
        "status": "on",
        "config":
        {
            "name": "intelligence_idc_tencent"
        },
        "action": "captcha"
    },
    {
        "type": "intelligence_fake_crawler",
        "status": "on",
        "config":
        {},
        "action": "deny"
    }
]

Example of combined parameter configurations for bot management in apps

[
    {
        "type": "target_type",
        "status": "on",
        "config":
        {
            "target": "app"
        },
        "action": ""
    },
    {
        "type": "traffic_feature",
        "status": "on",
        "config":
        {
            "conditions":
            [
                {
                    "key": "Header",
                    "subKey": "User-Agent",
                    "opValue": "contain",
                    "values": "Chrome"
                },
                {
                    "key": "IP",
                    "subKey": "",
                    "opValue": "ip-contain",
                    "values": "192.168.0.1/24"
                }
            ]
        },
        "action": ""
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "IP",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_ip",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "IP",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_dev",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "Header",
            "subKey": "aliwaf_wxbb_umid",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc_dev",
        "status": "on",
        "config":
        {
            "interval": 20,
            "target": "Header",
            "subKey": "aliwaf_wxbb_umid",
            "threshold": 50,
            "ttl": 2800
        },
        "action": "deny"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "monitor"
    },
    {
        "type": "custom_cc",
        "status": "on",
        "config":
        {
            "interval": 10,
            "target": "Query String Parameter",
            "subKey": "arg",
            "threshold": 30,
            "ttl": 1800
        },
        "action": "deny"
    },
    {
        "type": "app_sdk",
        "status": "on",
        "config":
        {
            "featureAbnormal":
            [
                "simulator",
                "proxy",
                "root",
                "debugged",
                "hook",
                "virtual",
                "antiReplay",
                "signInvalid"
            ],
            "customSignStatus": "on",
            "customSign":
            {
                "key": "header",
                "value": "ua"
            }
        },
        "action": "monitor"
    },
    {
        "type": "app_package",
        "status": "on",
        "config":
        {
            "packageSigns":
            [
                {
                    "name": "aaaaa",
                    "sign": "bbbb"
                },
                {
                    "name": "cccc",
                    "sign": "dddd"
                }
            ]
        },
        "action": "deny"
    }
]

Scenario 7: Scan protection (anti_scan)

Rule template

All rules include the following four parameters. For more information about the valid values, see the description of each rule classification.

Parameter	Type	Required	Description
type	String	Yes	The type of the rule. For more information, see the specific rule classification.
status	String	No	The status of the rule. Valid values: on and off.
config	Type	No	The rule configurations. For more information, see the specific rule classification.
action	String	No	The action of the rule. For more information, see the specific rule classification.

Rule classification 1: High-frequency scan blocking

Parameter	Type	Required	Example	Description
type	String	Yes	high_frequency	The type of the rule. Set the value to high_frequency.
status	String	Yes	on	The status of the rule. Valid values: on and off. The default value is on.
config	HighFrequency	No	{"target":"IP","interval":20,"wafBlockThreshold":20,"ttl":1800,"distinctWafRuleThreshold":2}	The rule configurations. For more information, see the following struct string.
action	String	No	deny	The action of the rule. Valid values: deny and monitor.

HighFrequency parameters

Parameter	Type	Required	Example	Description
target	String	Yes	IP	The field for rate limiting statistics. Valid values: IP, Session, Header, Query String Parameter, and Cookie Name.
subKey	String	No	yoursubKey	The subfield of the statistical field. This parameter is available if you use a custom field. For example, if target is set to Header, this parameter specifies the key of the header.
interval	Integer	Yes	20	The detection period. Valid values: 5 to 1800. Unit: seconds.
wafBlockThreshold	Integer	Yes	20	The number of times the basic protection rule is triggered. Valid values: 3 to 50000.
ttl	Integer	Yes	1800	The blocking duration. Valid values: 60 to 86400. Unit: seconds.
distinctWafRuleThreshold	Integer	Yes	2	The number of triggered rules is greater than this value. Valid values: 1 to 50.

[
  {
    "type":"high_frequency",
    "status":"on",
    "config":{"target":"IP","interval":20,"wafBlockThreshold":20,"ttl":1800,"distinctWafRuleThreshold":2},
    "action":"deny"
  }
]

Rule classification 2: Directory traversal blocking

Parameter	Type	Required	Example	Description
type	String	Yes	directory_traversal	The type of the rule. Set the value to directory_traversal.
status	String	Yes	on	The status of the rule. Valid values: on and off. The default value is on.
config	DirectoryTraversal	No	{"target":"IP","interval":10,"threshold":50,"status":{"code":"404","ratio":70,"count":50},"ttl":1800}	The rule configurations. For more information, see the following struct string.
action	String	No	deny	The action of the rule. Valid values: deny and monitor.

DirectoryTraversal parameters

Parameter	Type	Required	Example	Description
target	String	Yes	IP	The field for rate limiting statistics. Valid values: IP, Session, Header, Query String Parameter, and Cookie Name.
subKey	String	No	yoursubKey	The subfield of the statistical field. This parameter is available if you use a custom field. For example, if target is set to Header, this parameter specifies the key of the header.
interval	Integer	Yes	10	The detection period. Valid values: 5 to 1800. Unit: seconds.
threshold	Integer	Yes	50	The number of requests for the current protected object exceeds this value. Valid values: 2 to 50000.
status	RateLimitStatus	Yes	{"code":"404","ratio":70,"count":50}	The response code.
ttl	Integer	Yes	1800	The blocking duration. Valid values: 60 to 86400. Unit: seconds.

RateLimitStatus parameters

Parameter	Type	Required	Example	Description
code	String	Yes	404	The HTTP status code. Set the value to 404.
ratio	Integer	Yes	70	The percentage of 404 responses. Valid values: 1 to 100.
count	Integer	Yes	50	The number of non-existent directories. Valid values: 2 to 50000.

[
  {
    "type":"directory_traversal",
    "status":"on",
    "config":{"target":"IP","interval":10,"threshold":50,"status":{"code":"404","ratio":70,"count":50},"ttl":1800},
    "action":"deny"
  }
]

Rule classification 3: Scan tool blocking

Parameter	Type	Required	Example	Description
type	String	Yes	scan_tools	The type of the rule. Set the value to scan_tools.
status	String	Yes	on	The status of the rule. Valid values: on and off. The default value is on.
config	ScanTools	No	Empty	The rule configurations. This parameter is not applicable.
action	String	No	deny	The action of the rule. Valid values: deny and monitor.

[
  {
    "type":"scan_tools",
    "status":"on",
    "config":{},
    "action":"deny"
  }
]

Final combined parameters

[
    {
    "type":"high_frequency",
    "status":"on",
    "config":{"target":"IP","interval":20,"wafBlockThreshold":20,"ttl":1800,"distinctWafRuleThreshold":2},
    "action":"deny"
  },
  {
    "type":"directory_traversal",
    "status":"on",
    "config":{"target":"IP","interval":10,"threshold":50,"status":{"code":"404","ratio":70,"count":50},"ttl":1800},
    "action":"deny"
  },
  {
    "type":"scan_tools",
    "status":"on",
    "config":{},
    "action":"deny"
  }
]

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The request ID.	CB1A380B-09F0-41BB-280B-72F8FD6DA2FE
RuleIds	object
RuleId	array
	string	The IDs of the created rules.	100001,200002

Examples

Success response

JSON format

{
  "RequestId": "CB1A380B-09F0-41BB-280B-72F8FD6DA2FE",
  "RuleIds": {
    "RuleId": [
      "100001,200002"
    ]
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidParameter	The specified parameter is invalid.	A parameter is set to an invalid value.
400	Policy.NotExist	The specified policy does not exist.	The specified protection policy does not exist.
400	RuleConfigs.Malformed	The specified RuleConfigs format is invalid.	The RuleConfigs parameter is in an invalid format.
400	RuleName.AlreadyExists	Rule name already exists in specified policy.	The specified rule name is already used by another rule.
400	Rule.QuantityOverflow	Rules are overflowed quantity in specified policy.	The number of rules in the specified policy has already reached the upper limit.
500	InternalError	An internal error occurred; please try again later.	An internal error occurred. Try again later. If the error persists, submit a ticket.
403	%s.NotSupport	The specified resource type %s is not supported.	The specified resource type is not supported. To use this type of resource, contact us.
403	%s.OverQuota	The quantity of %s exceeds the quota.	The number of resources exceeds the quota. If you want to apply for more resources, contact us.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.