After you add a website to Web Application Firewall (WAF), you can enable the scan protection feature for your website. After the scan protection feature is enabled, access requests from specific IP addresses are automatically blocked. These IP addresses include source IP addresses that initiate high-frequency web attacks and malicious directory traversal attacks, and IP addresses defined in common scanners or the Alibaba Cloud malicious IP library.

Prerequisites

  • A WAF instance is purchased. The instance runs the Pro edition or higher.
    Notice WAF instances of the Pro edition support only default scan protection policies. You cannot configure custom scan protection policies for WAF instances of the Pro edition. If you need to configure custom policies for Blocking IPs Initiating High-frequency Web Attacks and Directory Traversal Prevention, the instance must run the Business edition or higher.

    For more information, see Purchase a WAF instance.

  • Your website is added to WAF.

    For more information, see Tutorial.

Background information

The scan protection feature provides the following scan protection policies:

  • Blocking IPs Initiating High-frequency Web Attacks: automatically blocks client IP addresses that initiate multiple web attacks within a short period of time. You can configure custom scan protection policies and manually unblock a blocked IP address.
  • Directory Traversal Prevention: automatically blocks client IP addresses that initiate multiple directory traversal attacks in a short period of time. You can configure custom scan protection policies and manually unblock a blocked IP address.
  • Scanning Tool Blocking: automatically blocks access requests from IP addresses defined in common scanners. The scanners include sqlmap, AWVS, Nessus, AppScan, WebInspect, Netsparker, Nikto, and RSAS.
  • Collaborative Defense: automatically blocks access requests from IP addresses defined in the Alibaba Cloud malicious IP library.

Procedure

  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist. Switch Domain Name
  5. On the Access Control/Throttling tab, find the Scan Protection section and configure the following settings: Scan protection
    Note By default, all requests destined for your website are checked by the scan protection feature when any policy in this section is enabled. If you want requests that match specific conditions to bypass the check, configure the whitelist for Access Control/Throttling. For more information, see Configure a whitelist for Access Control/Throttling.
    • Blocking IPs Initiating High-frequency Web Attacks: You can enable or disable it.
      Configure the protection policy.
      1. Turn on Blocking IPs Initiating High-frequency Web Attacks.
      2. Click Settings.
      3. In the Rule Setting dialog box, specify the following parameters: Inspection Time Range, The number of attacks exceeds, and Blocked IP Addresses. Rule settings

        If the number of web attacks initiated from a client IP address in the specified inspection time range exceeds a specific number, the access requests from this IP address are blocked during the specified blocking period.

        Note We recommend that you select a built-in configuration mode from Flexible Mode, Strict Mode, and Normal Mode in the Mode section. You can modify the parameters based on your requirements.
      4. Click Confirm.

      You can click Unblock IP Address to unblock IP addresses that are blocked by the policy.

    • Directory Traversal Prevention: You can enable or disable it.
      Configure the protection policy.
      1. Turn on Directory Traversal Prevention.
      2. Click Settings.
      3. In the Rule Setting dialog box, specify the following parameters: Inspection Time Range, The total requests exceed, And the percentage of responses with 404 exceeds, Blocked IP Addresses, and Directory number. Rule settings

        If the total number of requests initiated from a client IP address in the specified inspection time range exceeds a specific number and the proportion of the requests for which the HTTP status code 404 is returned to the total requests exceeds a specific proportion, or the number of directories to which requests are sent within the specified inspection time range exceeds a specific number, the access requests from this IP address are blocked during the specified blocking period.

        Note We recommend that you select a built-in configuration mode from Flexible Mode, Strict Mode, and Normal Mode in the Mode section. You can modify the parameters based on your requirements.
      4. Click Confirm.

      You can click Unblock IP Address to unblock IP addresses that are blocked by the policy.

    • Scanning Tool Blocking: You can enable or disable it.

      After you enable Scanning Tool Blocking, the behavior of common scanners is automatically detected. If an access request meets the characteristics of scanning, this request is always blocked. If you disable Scanning Tool Blocking, scanning behavior is no longer blocked.

    • Collaborative Defense: You can enable or disable it.

      After you enable Collaborative Defense, all access requests from the IP addresses in the Alibaba Cloud malicious IP library are blocked.