Configure scan protection rules to protect websites from being scanned - Web Application Firewall

After you add your web services to Web Application Firewall (WAF), you can configure scan protection rules to identify the scanning behavior and the characteristics of scanners to prevent attackers or scanners from scanning websites on a large scale. This helps reduce the risk of intrusions for web services and block invalid scanning traffic. This topic describes how to create a scan protection rule.

Background information

The following types of scan protection rules can be created:

High-frequency Scanning Blocking: If a source triggers the basic protection rules of a protected object multiple times in a short period of time, the source is added to the blacklist. WAF blocks or monitors requests that are sent from the source.
Directory Traversal Blocking: If a source accesses a large number of non-existent directories of a protected object in a short period of time, the source is added to the blacklist. WAF blocks or monitors requests from the source.
Scanner Blocking: Common scanners are added to the blacklist. The scanners include sqlmap, Acunetix web vulnerability scanner (AWVS), Nessus, HCL AppScan, WebInspect, Netsparker, Nikto, and RSAS. WAF blocks or monitors requests that are sent from the scanners.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added as the protected objects of WAF 3.0. For more information, see Protected objects and protected object groups.

Create a scan protection rule template

WAF does not provide a default scan protection rule template. Before you can enable a scan protection rule, you must create a scan protection rule template.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the lower part of the Protection Rules page, click Create Template in the Scan Protection section.
Note If no scan protection rule templates exist, you can click Configure Now in the Scan Protection card in the upper part of the Protection Rules page.

In the Create Template - Scan Protection panel, configure the parameters and click OK. The following table describes the parameters.


Parameter	Description
Template Name	Enter a name for the template. The name must be 1 to 255 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template	Specify whether to set this template as the default template for the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no custom protection rule templates are applied.
Rule Configuration	Create a scan protection rule. The scan protection template supports only one set of rules. The rule set consists of the following types of rules: High-frequency Scanning Blocking If you turn on High-frequency Scanning Blocking, the following configurations automatically take effect: If an IP address (Statistical and Blocked Object) triggers the basic protection rules of a protected object more than `20 times` (Trigger Threshold) and triggers more than `two protection rules` (Maximum Number of Triggered Rules) in `60 seconds` (Time Range), the IP address (Statistical and Blocked Object) is added to the blacklist and remains in the blacklist for `1,800 seconds` (Blocking Period). WAF blocks or monitors requests that are sent from the IP address (Statistical and Blocked Object). To modify the rule configurations, click Advanced Settings. Statistical and Blocked Object IP: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated during different sessions from the same client. Note WAF uses the `setcookie()` function to insert cookies that start with `acw_tc` in responses. This way, sessions from different clients are identified. Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. You can use one of the following methods to specify request characteristics: Custom Header: collects the frequency of attack requests that contain a specified header. Custom Parameter: collects the frequency of attack requests that contain a specified parameter. Custom Cookie: collects the frequency of attack requests that contain a specified cookie. Rule Details You can change the values of the following parameters: Time Range, Trigger Threshold, Blocking Period, and Maximum Number of Triggered Rules. Directory Traversal Blocking If you turn on Directory Traversal Blocking, the following configurations automatically take effect: If an IP address (Statistical and Blocked Object) requests a protected object more than `50 times` (Maximum Number of Requests) and accesses more than `50 non-existent directories` (Maximum Number of Non-existent Directories) in `10 seconds` (Time Range), and HTTP 404 status codes comprise of `70%` (HTTP 404 Status Code Percentage) of the status codes that are returned in responses, the IP address (Statistical and Blocked Object) is added to the blacklist. WAF blocks or monitors requests that are sent from the IP address (Statistical and Blocked Object). To modify the rule configurations, click Advanced Settings. Statistics and Blocked Objects IP: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated during different sessions from the same client. Note WAF uses the `setcookie()` function to insert cookies that start with `acw_tc` in responses. This way, sessions from different clients are identified. Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. You can use one of the following methods to specify request characteristics: Custom Header: collects the frequency of attack requests that contain a specified header. Custom Parameter: collects the frequency of attack requests that contain a specified parameter. Custom Cookie: collects the frequency of attack requests that contain a specified cookie. Rule Details You can change the values of the following parameters: Time Range, Maximum Number of Requests, HTTP 404 Status Code Percentage, Blocking Period, and Maximum Number of Non-existent Directories. Scanner Blocking If you turn on Scanner Blocking, common scanners are added to the blacklist. The scanners include sqlmap, AWVS, Nessus, HCL AppScan, WebInspect, Netsparker, Nikto, and RSAS. WAF blocks or monitors requests from the scanners.
Action	Specify the action that you want WAF to perform on the request that matches the protection rule. Valid values: Block: blocks the requests that match the rule and returns a block page to the client who initiated the requests. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure custom response rules to configure custom block pages. Monitor: records requests that match the rule in logs without blocking the requests. You can query logs of requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on the logs. Important You can query logs only if the Log Service for WAF feature is enabled. For more information, see Enable Log Service for WAF. If you select Monitor, you can check the protection performance of the rule. You can also check whether the rule blocks normal requests. Then, you can determine whether to set the Action parameter to Block. Note On the Security Reports page, you can query the details of matched rules in Monitor mode or Block mode. For more information, see Security reports.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For information about how to add protected objects and protected object groups, see Protected objects and protected object groups.

By default, the new rule template is enabled. You can perform the following operations in the rule template list:

View the number of protected objects or protected object groups that are associated with the rule template.
Turn on or turn off Status to enable or disable the rule template.
Click Edit or Delete in the Actions column to modify or delete the rule template.
Click the icon on the left side of a rule template to view the rules in the template.

What to do next

On the Scan Protection tab of the Security Reports page, you can view the protection details of scan protection rules. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.

References

Protection configuration overview: describes protected objects, protection modules, and protection process.
CreateDefenseTemplate: creates a protection rule template.
CreateDefenseRule: creates a protection rule. When you call this operation to create a scan protection rule, you must set the DefenseScene parameter to antiscan.