Configure advanced custom rules for bot management - Web Application Firewall

After you enable bot management, you can create custom access control and frequency control rules to protect against requests that match specific conditions. Advanced custom rules offer a wider range of match conditions, such as Client ID, JA3/JA4 fingerprints, and information collected by Web/App SDKs. Conditional deduplication for statistics is also supported. This topic describes how to create a custom bot rule template and add custom rules to it.

Background information

Custom rules are classified into the following types:

Custom rule	Description
Access control rule	Define match conditions based on client IPs, request URLs, and common request header fields. WAF takes a specified action on requests that hit the match conditions. For example, you can use a custom rule to block requests that access a specific Client ID or verify requests that contain a specific web UMID or app UMID.
Frequency control rule	Define access frequency detection conditions based on access control match conditions. WAF takes a specified action on statistical objects with unusual access frequencies. For example, if requests from the same IP address or session frequently hit the match conditions within a short period, you can enable frequency control to block requests from that IP address or session for a specified period.

Step 1: Create a custom rule template

Log on to the Web Application Firewall 3.0 console. In the top navigation bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for your WAF instance.

Click Create Template. In the New Template - Advanced Custom Rules panel, configure the following settings and click OK.

Parameter	Description
Template Name	Enter a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Rule Configuration	You can click Create Rule to create a custom rule for the current template. You can also skip this step and create rules for the template after the template is created.
Apply To	Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups.

By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:

View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Create Rule in the Actions column to create a protection rule for the template.
Click Edit, Delete, or Copy in the Actions column to manage the template.
Click the icon to the left of the template name to view the protection rules in the template.

Step 2: Create a custom rule

A custom rule template does not take effect until you add protection rules. In the Create Rule dialog box, configure the following parameters and click OK.

If you already added a protection rule in Step 1, you can skip this step.

Parameter

Description

Rule Name

Enter a name for the rule.

The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).

Match Condition

Set the request features that you want to match.

Click Add Condition to add a condition. You can add up to 10 conditions to a rule. If you define multiple conditions, a request must meet all the conditions to hit the rule.

Each condition consists of a Match Field, a Logic, and a Match Content. The following are configuration examples:

Example 1: If you set Match Field to URI, Logic to Contains, and Match Content to /login.php, requests for paths that contain /login.php hit the rule.
Example 2: If you set Match Field to IP, Logic to Belongs to, and Match Content to 192.1X.XX.XX, requests from the client IP address 192.1.XX.XX hit the rule.

Protection Rule Type

Access Control is selected by default. Click Rate Limiting to enable frequency control.

Frequency control means that if requests from the same statistical object (such as an IP address or a session) frequently hit the rule, WAF takes a specified action on all access requests from the statistical object for a period of time. After you enable frequency control, you must configure the frequency control parameters.

Frequency detection condition
If the number of times that a Statistical Object hits the rule within a Statistical Interval (Seconds) exceeds the Threshold (Times), the object is added to the blacklist.
- Statistical Object
  Select the object for which you want to collect statistics on request frequency. Valid values:
  - IP: Collects statistics on the frequency of requests from the same IP address.
  - Custom Header: Collects statistics on the frequency of requests that contain a specified header. For example, for the custom header identifier Referer, WAF counts the number of requests for each Referer value within the specified statistical period.
  - Custom Parameter: Matches a keyword in the URL and collects statistics on the frequency of requests that contain the specified parameter.
  - Custom Cookie: Collects statistics on the frequency of HTTP requests that contain a specified cookie within a specific period. For example, if you set the custom cookie to User, WAF counts the number of occurrences for each User value within the statistical period.
  - Session: By default, WAF inserts acw_tc into responses to identify and collect statistics on access requests from different clients. WAF collects statistics on the frequency of requests that are initiated from the same acw_tc.
  - Body: A parameter in the request body. WAF collects statistics on the frequency of requests that contain the specified body parameter.
  - App UMID: Collects statistics on the frequency of requests from the same app client.
  - Account: Collects statistics on the frequency of requests from the same account.
  - Web UMID: Collects statistics on the frequency of requests from the same web client.
- Statistical Interval (Seconds)
  Set the statistical period. Unit: seconds.
- Threshold (Times)
  Set the maximum number of times that a Statistical Object is allowed to hit the Match Condition within the Statistical Interval (Seconds).
Response code detection condition
If the number or percentage of responses that have a specific Status Code exceeds the configured Quantity or Percentage (%), the object is added to the blacklist.
- Status Code
  Select whether to enable response code detection based on frequency detection. If you enable this feature, a protected object is added to the blacklist only if it meets both the frequency detection condition and the response code condition. If you enable response code detection, you must specify the response code for which you want to collect statistics.
- Quantity
  Set the maximum number of times that the specified Status Code is allowed to appear in responses within the statistical period.
  Note
  You can set either Quantity or Percentage (%).
- Percentage (%)
  Set the maximum percentage of responses that can contain the specified Status Code within the statistical period.
  Note
  You can set either Quantity or Percentage (%).
Deduplication for statistics
If an object hits the statistical rule after deduplication, the object is added to the blacklist. Click Add Condition to add a condition. You can add up to five conditions to a rule. If you define multiple conditions, a request must meet all the conditions to hit the rule.
Each condition consists of a Match Field, a Logic, and a Match Content. The following is a configuration example:
If you set Match Field to URI, Logic to Equals, and Number to 5, a request hits the rule if the number of access requests to the URI specified in the match condition is 5 after deduplication.
Blacklist action condition
Adds the statistical object that hits the frequency detection condition to the blacklist. Within the Timeout Period, WAF performs the specified Actions on requests from the object that are within the Apply To.
- Apply To
  Set the scope of the blacklist action. Valid values:
  - Current Match Condition: WAF takes action only on requests that meet the Match Condition of the current rule.
  - Protected Object: WAF takes action on all requests from the restricted object.
- Timeout Period
  Set the period during which the blacklist action is effective. Unit: seconds. Value range: 60 to 86400.

Actions

Configuration	Description
JavaScript Validation	WAF returns a block of JavaScript validation code to the client. A standard browser automatically executes this code. If the client completes execution successfully, WAF allows all requests from that client for a period of time (30 minutes by default). Otherwise, the requests are blocked.
Block	Blocks requests that match the rule and returns a block page to the client. Note WAF uses a default block page. You can also create a custom block page using the Custom Response feature.
Monitor	Does not block requests that match the rule but logs them. When testing a rule, you can first use the Monitor mode to analyze WAF logs and confirm that no false positives occur before changing the action.
Slider CAPTCHA	WAF returns a slider CAPTCHA page to the client. If the client successfully completes the slider challenge, WAF allows all requests from that client for a period of time (30 minutes by default). Otherwise, the requests are blocked.
Strict Slider CAPTCHA Verification	WAF returns a slider CAPTCHA page to the client. If the client successfully completes the slider challenge, the current request is allowed. Otherwise, the request is blocked. In this mode, the client must complete a slider challenge for every request that matches the rule.
Add Tag	You can define a custom header name and content (including rule type, rule ID, and web UMID). WAF does not process the request directly but instead adds a header to forward the match information to the origin server. You can integrate this with your backend risk control system for business-side processing.

Rule Type

After you classify a custom rule, the traffic that hits the rule is recorded in the Malicious Bot and Suspected Bot trend charts on the traffic analysis page.

Suspected Bot: The request shows some characteristics of a crawler but lacks direct evidence, such as attack traces or a clear intent. The intent of the request needs to be further verified.
Malicious Bot: An automated program that is primarily used for illegal purposes, such as launching attacks, stealing data, or performing malicious operations on a target system or network using automated methods.

Advanced Settings

Canary Release: Configure the percentage of objects of different dimensions to which the rule applies.
After you enable Grayscale Rule, you must set the grayscale Dimension and Canary Release Proportion. The grayscale Dimension can be IP, Custom Header, Custom Parameter, Custom Cookie, Session, App UMID, or Web UMID.
Note
A canary release takes effect based on the configured Dimension, not by randomly applying the rule to a percentage of requests. For example, if the Dimension is IP and the Canary Release Proportion is 10%, WAF selects approximately 10% of the IP addresses. WAF then applies the rule to all requests from these selected IP addresses, not to a random 10% of all requests.
Effective Mode
- Permanently Effective (Default): The rule is always active when the protection template is enabled.
- Fixed Schedule: The protection rule is active only during a specified time period.
- Recurring Schedule: The protection rule is active only during a specified recurring schedule.

By default, a newly created protection rule is enabled. You can perform the following operations on the rule in the rule list:

View the rule ID and action in the Rule ID and Action columns.
Turn on or turn off the switch in the Status column to enable or disable the rule.
Click Edit or Delete in the Actions column to modify or delete the rule.

Match field descriptions

Match Field	Description	Supported logic
URI	The Uniform Resource Identifier (URI) of a request specifies the path to the requested resource. In general, URI = URI Path + Query String. The value must start with a forward slash (`/`) and must not contain a domain name. For example, `/login.php`.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with
IP	The source IP address of a request. This is the IP address of the client that initiates the request. The value must meet the following requirements: IPv4 addresses such as `1.XX.XX.1` and IPv6 addresses such as `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff` are supported. IP address CIDR blocks such as `1.XX.XX.1/16` are supported. Press Enter after you enter an IP address. You can enter up to 100 IP addresses.	Does not belong to, Belongs to
Referer	The source URL of a request. It indicates the page from which the request was redirected.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Is empty Exists, Does not exist
User-Agent	The identifier of the client that initiates the request. It contains information about the browser, rendering engine, version, and other browser-related details.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Is empty Exists, Does not exist
Query String	The query string of a request. This is the part of the URL that follows the question mark (?).	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Exists, Does not exist
Cookie	The cookie information in a request.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Exists, Does not exist Is empty
Content-Type	The HTTP content type specified in a request, which is the Multipurpose Internet Mail Extensions (MIME) type.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex
Content-Length	The length of the request body in bytes. The value can range from 0 to 2,147,483,648.	Equals, Value is less than, Value is greater than
X-Forwarded-For	The originating IP address of the client. X-Forwarded-For (XFF) is an HTTP request header field that is used to identify the original IP address of a client that connects to a web server through an HTTP proxy or a load balancer. Only requests that are forwarded by an HTTP proxy or a load balancer contain this field.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Does not exist
Body	The body of a request.	Contains Does not exist Equals Matches regex Starts with, Ends with
Http-Method	The method of a request, such as GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, or PATCH.	Does not equal, Equals Equals one of, Does not equal any of
Header	A header in a request. Custom header fields are supported.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Exists, Does not exist
URI Path	The URI path of a request.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with
Query String Parameter	The name of a request parameter. A request parameter refers to the part of the URL that follows the question mark (?). For example, in `www.aliyundoc.com/request_path?param1=a&param2=b`, `param1` and `param2` are request parameters. Note The parameter name is case-sensitive.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Exists, Does not exist Is empty
Client-ID	The identifier of a client, such as a browser or an application. WAF identifies the client type based on features such as User-Agent information and traffic fingerprints.	Contains, Does not contain Equals, Does not equal Equals one of
Server-Port	The server port.	Does not equal, Equals Equals one of, Does not equal any of
File Extension	The extension of the requested file. For example, `.png` or `.php`.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Exists, Does not exist Is empty
Filename	The name of the file at the end of the request path. For example, in `/abc/index.php`, `index.php` is the filename.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Exists, Does not exist Is empty
Host	The requested domain name.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Exists, Does not exist Is empty
Cookie Name	The name of a cookie. For example, in the cookie `acw_tc:111`, `acw_tc` is the cookie name. Note The cookie name is case-sensitive.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Exists, Does not exist Is empty
Body Parameter	The name of a parameter in the request body. For example, if the request body contains the string `a=1&b=2`, `a` and `b` are the parameter names. When you use this field, ensure the value is longer than four characters. Otherwise, WAF cannot detect the traffic. Note The parameter name is case-sensitive.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Does not match regex, Matches regex Starts with, Ends with Exists, Does not exist Is empty
JA3 Fingerprint	A string generated by performing an MD5 hash on key parameters of the TLS handshake, including the TLS version, cipher suites, compression algorithms, and TLS extensions. This string, known as the JA3 fingerprint, represents the TLS configuration of a client. JA3 fingerprints can be used to identify and differentiate between different types of TLS clients, such as web browsers, mobile applications, and malware.	Equals, Does not equal Equals one of
JA4 Fingerprint	A JA4 fingerprint includes more contextual information and uses additional algorithms, considering factors such as the browser version and operating system. This helps reduce the duplication issues that can occur with JA3 fingerprints. JA4 fingerprints can more accurately distinguish between real users and impostors, which reduces the false positive rate.	Equals, Does not equal Equals one of
HTTP/2 Fingerprint	An HTTP/2.0 fingerprint generated by applying the MD5 algorithm to the original fingerprint of the HTTP/2 client. It is used to analyze and identify different clients to enable more secure and efficient communication.	Equals, Does not equal Equals one of
IDC	Identifies the traffic source based on source IP address attribution data. Attackers in the cyber underground economy chain often use low-cost cloud servers to launch attacks.	Equals one of, Does not equal any of
Web SDK	Identifies unusual traffic based on probe data collected by the Web SDK, such as the web UMID and the number of keyboard, mouse, or touch screen events.	Equals Value is greater than, Value is less than
App SDK	Allows for fine-grained control based on probe data collected by the App SDK.	Contains, Does not contain Equals, Does not equal Length is less than, Length is equal to, Length is greater than Equals one of, Does not equal any of Contains one of, Does not contain any of Matches regex, Does not match regex Starts with, Ends with Exists, Does not exist Is empty