Dynamic Content Delivery Network:Configure scan protection

Prerequisites

• Web Application Firewall (WAF) is enabled. For more information, see Getting started with WAF (new edition).

• The domain name that you want to protect is added to WAF. For more information, see Add a domain name for protection.

Background information

Create a scan protection policy

The first time you configure the scan protection module, you must create a scan protection template and configure protection rules.

1. Log on to the DCDN console.

2. In the left-side navigation pane, choose WAF > Protection Policies.

3. On the Protection Policies page, click Create Policy.

4. On the Create Policy page, configure the parameters. The following table describes the parameters.

   Section	Parameter	Description
   Policy Information	Policy Type	Select Scan Protection.
   	Policy Name	Enter the name of the policy. The name can be up to 64 characters in length and can contain letters, digits, and underscores (_).
   	Make Default	Specify whether to set this policy as the default policy for the policy type. You do not need to configure protected domain names for the default policy. The default policy is applied to all protected domain names that are not associated with custom protection policies, including domain names that have been disassociated from custom protection policies and added after the default policy is applied. Note You can specify only one default policy for each type of policy. After you specify a default policy, you cannot change the default policy. If a default policy has been specified for the current policy type, this switch is unavailable.
   Rule Information	Rule	Specify the action that you want WAF to perform on the requests that match the protection rule. Valid values: Block: blocks requests that match the rule and returns a block page to the client. Monitor: does not block the request that matches the rule. In Monitor mode, you can view the protection performance of the rule and check whether the rule blocks normal requests. Then, you can determine whether to set the Action parameter to Block.
   High-frequency Scanning Blocking	Status	Enable or disable high-frequency scanning blocking. Default configuration: If an attack source (specified by Block Object, default value: IP) triggers more than 2 protection rules (specified by Triggered Rules) more than 20 times (specified by Trigger Threshold) in 60 seconds (specified by Time Range), the attack source is added to the blacklist for 30 minutes (specified by Blocking Time), and all requests from the attack source are blocked or monitored for 30 minutes based on the configured protection rule. You can click Configure to specify custom parameters. For more information, see the following rows.
   	Block Object	Select the type of attack source for which you want to collect statistics. Valid values: IP: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated during different sessions from the same client. Note WAF uses the setcookie() function to insert cookies that start with acw_tc in responses. This way, sessions from different clients are identified. Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. You can use one of the following methods to specify request characteristics: Custom Header: collects the frequency of attack requests that contain a specific header. Custom Parameter: collects the frequency of attack requests that contain a specific parameter. Custom Cookie: collects the frequency of attack requests that contain a specific cookie.
   	Time Range	Specify the period of time during which HTTP requests are detected. Valid values: 5 to 1800. Unit: seconds.
   	Trigger Threshold	Specify the maximum number of times that an object can trigger the basic protection rules of the protected object within the period of time specified by the Time Range parameter. Valid values: 3 to 50000.
   	Triggered Rules	Specify the maximum number of basic protection rules that can be triggered by an object within the period of time specified by the Time Range parameter. Valid values: 1 to 50.
   	Blocking Time	Specify the period of time during which the requests from the source are blocked. Valid values: 60 to 86400. Unit: seconds.
   Directory Traversal Blocking	Status	Enable or disable directory traversal blocking. Default configuration: If an attack source (specified by Block Object, default value: IP) requests protected objects more than 50 times (specified by Requests) in 10 seconds (specified by Time Range) and requests more than 50 directories that do not exist (specified by Non-existent Directories), and the percentage of the HTTP 404 status code for the requests exceeds 70% (specified by HTTP 404 Status Code Percentage), the attack source is added to the blacklist for 30 minutes (specified by Blocking Time), and all requests from the attack source are blocked or monitored for 30 minutes based on the configured protection rule. You can click Configure to specify custom parameters. For more information, see the following rows.
   	Block Object	Select the type of attack source for which you want to collect statistics. Valid values: IP: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated during different sessions from the same client. Note WAF uses the setcookie() function to insert cookies that start with acw_tc in responses. This way, sessions from different clients are identified. Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. You can use one of the following methods to specify request characteristics: Custom Header: collects the frequency of attack requests that contain a specific header. Custom Parameter: collects the frequency of attack requests that contain a specific parameter. Custom Cookie: collects the frequency of attack requests that contain a specific cookie.
   	Time Range	Specify the period of time during which HTTP requests are detected. Valid values: 5 to 1800. Unit: seconds.
   	Requests	Specify the maximum number of requests that a single object can initiate for a single domain name within the period of time specified by Time Range. Valid values: 3 to 50000.
   	HTTP 404 Status Code Percentage	Specify the maximum percentage of HTTP 404 status codes. Valid values: 1 to 100. Unit: %.
   	Non-existent Directories	Specify the maximum number of non-existent directories that an object is allowed to access within the period of time specified by Time Range. The non-existent directories exclude static files such as images. Valid values: 2 to 50000.
   	Blocking Time	Specify the period of time during which the requests from the source are blocked. Valid values: 60 to 86400. Unit: seconds.
   Scanner Blocking	Status	Enable or disable scanner blocking.
   Protected Domain Names	Protected Domain Names	Enter the domain names that you want to associate with the current protection policy. Note A protected domain name can be associated with only one protection policy of a policy type. If a domain name has been associated with a protection policy of a policy type, and you associate the domain name with another protection policy of the policy type, the new protection policy overwrites the existing policy.

5. Click Create Policy.

   By default, the protection policy that you created is enabled.

Related API operations

• CreateDcdnWafPolicy

• BatchCreateDcdnWafRules

• DescribeDcdnWafPolicies

• DescribeDcdnWafDefaultRules

• DescribeDcdnWafPolicies

• DescribeDcdnWafPolicyValidDomains