All Products
Search
Document Center

Dynamic Content Delivery Network:Configure scan protection

Last Updated:Jan 04, 2024

The scan protection module detects the behaviors and characteristics of automated scanners to prevent attackers or scanners from scanning websites. Attack sources are blocked or added to the blacklist. This reduces the risk of intrusions into web services and prevents additional traffic generated by malicious scanners.

Prerequisites

Background information

The scan protection module provides the following types of rules:

  • High-frequency Scanning Blocking: If a source triggers basic protection rules of a protected object multiple times within a short period of time, the source is added to the blacklist. WAF blocks or monitors the requests from the source within a specified period of time.

  • Directory Traversal Blocking: If a source accesses a large number of non-existent directories of a protected object within a short period of time, the source is added to the blacklist. WAF blocks or monitors the requests from the source within a specified period of time.

  • Scanner Blocking: Common scanners are added to the blacklist. The scanners include sqlmap, Acunetix web vulnerability scanner (AWVS), Nessus, HCL AppScan, WebInspect, Netsparker, Nikto, and RSAS. WAF blocks or monitors the requests from the scanners.

Create a scan protection policy

The first time you configure the scan protection module, you must create a scan protection template and configure protection rules.

  1. Log on to the DCDN console.

  2. In the left-side navigation pane, choose WAF > Protection Policies.

  3. On the Protection Policies page, click Create Policy.

  4. On the Create Policy page, configure the parameters. The following table describes the parameters.

    Section

    Parameter

    Description

    Policy Information

    Policy Type

    Select Scan Protection.

    Policy Name

    Enter the name of the policy. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).

    Make Default

    Specify whether to set this policy as the default policy for the policy type.

    You do not need to configure protected domain names for the default policy. The default policy is applied to all protected domain names that are not associated with custom protection policies, including domain names that have been disassociated from custom protection policies and added after the default policy is applied.

    Note
    • You can specify only one default policy for each type of policy. After you specify a default policy, you cannot change the default policy.

    • If a default policy has been specified for the current policy type, this switch is unavailable.

    Rule Information

    Rule

    Specify the action that you want WAF to perform on the requests that match the protection rule. Valid values:

    • Block: blocks requests that match the rule and returns a block page to the client.

    • Monitor: does not block the request that matches the rule.

    In Monitor mode, you can view the protection performance of the rule and check whether the rule blocks normal requests. Then, you can determine whether to set the Action parameter to Block.

    High-frequency Scanning Blocking

    Status

    Enable or disable high-frequency scanning blocking.

    Default configuration: If an attack source (specified by Block Object, default value: IP) triggers more than 2 protection rules (specified by Triggered Rules) more than 20 times (specified by Trigger Threshold) in 60 seconds (specified by Time Range), the attack source is added to the blacklist for 30 minutes (specified by Blocking Time), and all requests from the attack source are blocked or monitored for 30 minutes based on the configured protection rule.

    You can click Configure to specify custom parameters. For more information, see the following rows.

    Block Object

    Select the type of attack source for which you want to collect statistics. Valid values:

    • IP: collects the frequency at which attacks are initiated from the same client IP address.

    • Session: collects the frequency at which attacks are initiated during different sessions from the same client.

      Note

      WAF uses the setcookie() function to insert cookies that start with acw_tc in responses. This way, sessions from different clients are identified.

    • Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. You can use one of the following methods to specify request characteristics:

      • Custom Header: collects the frequency of attack requests that contain a specific header.

      • Custom Parameter: collects the frequency of attack requests that contain a specific parameter.

      • Custom Cookie: collects the frequency of attack requests that contain a specific cookie.

    Time Range

    Specify the period of time during which HTTP requests are detected.

    • Valid values: 5 to 1800.

    • Unit: seconds.

    Trigger Threshold

    Specify the maximum number of times that an object can trigger the basic protection rules of the protected object within the period of time specified by the Time Range parameter.

    Valid values: 3 to 50000.

    Triggered Rules

    Specify the maximum number of basic protection rules that can be triggered by an object within the period of time specified by the Time Range parameter.

    Valid values: 1 to 50.

    Blocking Time

    Specify the period of time during which the requests from the source are blocked.

    • Valid values: 60 to 86400.

    • Unit: seconds.

    Directory Traversal Blocking

    Status

    Enable or disable directory traversal blocking.

    Default configuration: If an attack source (specified by Block Object, default value: IP) requests protected objects more than 50 times (specified by Requests) in 10 seconds (specified by Time Range) and requests more than 50 directories that do not exist (specified by Non-existent Directories), and the percentage of the HTTP 404 status code for the requests exceeds 70% (specified by HTTP 404 Status Code Percentage), the attack source is added to the blacklist for 30 minutes (specified by Blocking Time), and all requests from the attack source are blocked or monitored for 30 minutes based on the configured protection rule.

    You can click Configure to specify custom parameters. For more information, see the following rows.

    Block Object

    Select the type of attack source for which you want to collect statistics. Valid values:

    • IP: collects the frequency at which attacks are initiated from the same client IP address.

    • Session: collects the frequency at which attacks are initiated during different sessions from the same client.

      Note

      WAF uses the setcookie() function to insert cookies that start with acw_tc in responses. This way, sessions from different clients are identified.

    • Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. You can use one of the following methods to specify request characteristics:

      • Custom Header: collects the frequency of attack requests that contain a specific header.

      • Custom Parameter: collects the frequency of attack requests that contain a specific parameter.

      • Custom Cookie: collects the frequency of attack requests that contain a specific cookie.

    Time Range

    Specify the period of time during which HTTP requests are detected.

    • Valid values: 5 to 1800.

    • Unit: seconds.

    Requests

    Specify the maximum number of requests that a single object can initiate for a single domain name within the period of time specified by Time Range.

    Valid values: 3 to 50000.

    HTTP 404 Status Code Percentage

    Specify the maximum percentage of HTTP 404 status codes.

    • Valid values: 1 to 100.

    • Unit: %.

    Non-existent Directories

    Specify the maximum number of non-existent directories that an object is allowed to access within the period of time specified by Time Range. The non-existent directories exclude static files such as images.

    Valid values: 2 to 50000.

    Blocking Time

    Specify the period of time during which the requests from the source are blocked.

    • Valid values: 60 to 86400.

    • Unit: seconds.

    Scanner Blocking

    Status

    Enable or disable scanner blocking.

    Protected Domain Names

    Protected Domain Names

    Enter the domain names that you want to associate with the current protection policy.

    Note

    A protected domain name can be associated with only one protection policy of a policy type.

    If a domain name has been associated with a protection policy of a policy type, and you associate the domain name with another protection policy of the policy type, the new protection policy overwrites the existing policy.

  5. Click Create Policy.

    By default, the protection policy that you created is enabled.

Related API operations