Configure scan protection rules - Web Application Firewall

After you add your web services to Web Application Firewall (WAF), you can configure protection rules for the scan protection module to identify scanning behavior and scanner characteristics and prevent attackers or scanners from scanning websites on a large scale. This helps reduce the risks of intrusions to web services and block invalid scanning traffic. This topic describes how to create scan protection templates and rules.

Background information

The scan protection module provides the following types of rules:

High-frequency Scanning Blocking: If a source triggers the protection rules of the core protection rule module configured for the current protected object multiple times within a short period of time, the source is added to the blacklist. WAF blocks or monitors the requests from the source within a specific period of time.
Directory Traversal Blocking: If a source accesses many non-existent directories of a protected object within a short period of time, the source is added to the blacklist. WAF blocks or monitors the requests from the source within a specific period of time.
Scanner Blocking: Common scanners are added to the blacklist. The scanners include sqlmap, AWVS, Nessus, Appscan, Webinspect, Netsparker, Nikto, and RSAS. WAF blocks or monitors the requests from the scanners.

Template types

The scan protection module provides the following two types of templates.

Protection template	Description	Apply to
Default protection template	The initial default protection template provided by WAF. The protection template is enabled by default. Note The initial default protection template that is enabled by default is available only for subscription WAF instances that run the Pro, Enterprise, or Ultimate edition.	When you create a default protection template, the template applies to all protected objects or groups that are not associated with custom protection templates. The template also automatically applies to newly added protected objects. You can manually adjust the settings.
Custom protection template	A protection template that you customize based on your business requirements. You must manually create a custom protection template. Custom protection templates are suitable for scenarios in which a single default protection template cannot meet your business requirements.	You need to specify Apply To. The template applies only to the protected objects and object groups that are associated with the template.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.

Create a scan protection template

WAF provides an initial default protection template that is enabled by default. To enable custom rules, you must create a protection template and configure related rules. Perform the following steps to create a scan protection template:

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
In the Scan Protection section at the bottom of the Core Web Protection page, click Create Template.

In the Create Template - Scan Protection panel, configure the parameters and click OK.

Parameter	Description
Template Name	Specify a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save As Default Template	The default protection template does not require you to specify the objects to which the template applies. The template applies to all protected objects and object groups that are not associated with custom protection templates. This includes newly added protected objects and object groups and those that are removed from custom protection templates. You can also manually remove them from the default template. You can set only one default template for a protection module, and you can set a default template only when you create a template.
Rule Configuration	Configure rule settings. A protection template of the scan protection module supports only one set of rules. A rule set consists of the following three types of rules: High-frequency Scanning Blocking If you turn on High-frequency Scanning Blocking, the following configurations automatically take effect: If an IP address (Statistical And Blocked Object) triggers the protection rules of the core protection rule module configured for the current protected object more than 20 times (Trigger Of Protection Rules Of Core Protection Rule) and triggers more than 2 (Maximum Number Of Triggered Rules) protection rules in 60 seconds (Time Range), the IP address is added to the blacklist and remains in the blacklist for 1,800 seconds (Blocking Period). WAF blocks or monitors requests that are sent from the IP address. To modify the rule configurations, click Advanced Settings: Statistical and Blocked Object IP: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated over the same client session. Note WAF uses the `setcookie()` function to insert cookies that start with `acw_tc` into responses. This way, sessions of different clients are easy to identify. Custom: collects the frequency at which attacks are initiated by objects with the same request characteristics. To specify request characteristics, you can use one of the following methods: Custom Header: collects the frequency of attack requests that contain a specified header. Custom Parameter: collects the frequency of attack requests that contain a specified parameter. Custom Cookie: collects the frequency of attack requests that contain a specified cookie. Rule details You can change the values of the following parameters: Time Range, Trigger Of Protection Rules Of Core Protection Rule, Blocking Period, and Maximum Number Of Triggered Rules. Directory Traversal Blocking If you turn on Directory Traversal Blocking, the following configurations automatically take effect: If an IP address (Statistical And Blocked Object) is used to request a protected object more than 50 times (Maximum Number Of Requests) and access more than 50 (Maximum Number Of Non-existent Directories) non-existent directories in 10 seconds (Time Range), and HTTP 404 status codes comprise of 70% (Maximum HTTP 404 Status Code Percentage) of the status codes that are returned in responses, the IP address is added to the blacklist. WAF blocks or monitors requests that are sent from the IP address. Note The statistics for directory scanning exclude static web file types such as `.js` and `.png` . To modify the rule configurations, click Advanced Settings: Statistical and Blocked Object IP: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated over the same client session. Note WAF uses the `setcookie()` function to insert cookies that start with `acw_tc` into responses. This way, sessions of different clients are easy to identify. Custom: collects the frequency at which attacks are initiated by objects with the same request characteristics. To specify request characteristics, you can use one of the following methods: Custom Header: collects the frequency of attack requests that contain a specified header. Custom Parameter: collects the frequency of attack requests that contain a specified parameter. Custom Cookie: collects the frequency of attack requests that contain a specified cookie. Rule details You can change the values of the following parameters: Time Range, Maximum Number Of Requests, Maximum HTTP 404 Status Code Percentage, Blocking Period, and Maximum Number Of Non-existent Directories. Scanner Blocking: If you turn on Scanner Blocking, common scanners are added to the blacklist. The scanners include sqlmap, AWVS, Nessus, Appscan, Webinspect, Netsparker, Nikto, and RSAS. WAF blocks or monitors requests from the scanners.
Action	Select the action that you want WAF to perform when a request matches the rule. Valid values: Block: blocks a request that matches the rule and returns a block page to the client that initiated the request. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure protection rules for the custom response module to configure custom block pages. Monitor: records a request that matches the rule in logs without blocking the request. You can query logs about the requests that match the rule and analyze the protection performance. For example, you can check whether legitimate requests are blocked based on logs. Important You can query logs only when the Simple Log Service for WAF feature is enabled. For more information, see Enable or disable the Simple Log Service for WAF feature. If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block. Note On the Security Reports page, you can view the details of matched rules in Monitor or Block mode. For more information, see Security reports.
Apply To	Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups. A protected object or object group can be associated with only one scan protection template. If you set a default protection template, the template applies to all protected objects and object groups that are not associated with custom protection templates by default. If you do not set a default template, no protected objects or object groups are selected by default. You can manually modify the objects to which the template applies.

By default, a newly created protection template is enabled. You can perform the following operations on the protection template in the template list:

View the number of Protected Object/Group that are associated with the template.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
Click the icon to the left of the template name to view and manage the rules in the template.
- Find a rule and click Unblock IP Addresses to unblock the IP addresses that are blocked by the rule.
  Important
  - You can Unblock IP Addresses only when the IP addresses are blocked by the High-frequency Scanning Blocking or Directory Traversal Blocking protection rule.
  - You can Unblock IP Addresses only when the related rule and template are enabled.

What to do next

On the Scan Protection tab of the Security Reports page, you can view the protection details for the rules. For more information, see Security Reports.

References

For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.
For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.
For more information about how to create a protection rule for the core protection rule module and configure the rule, see CreateDefenseRule.