Configure scan protection rules - Web Application Firewall

After you add your web services to Web Application Firewall (WAF), you can configure scan protection rules to identify the scanning behavior and the characteristics of scanners to prevent attackers or scanners from scanning websites on a large scale. This helps reduce the risk of intrusions for web services and block invalid scanning traffic. This topic describes how to create a scan protection rule.

Background information

The following types of scan protection rules can be created:

High-frequency Scanning Blocking: If a source triggers basic protection rules of a protected object multiple times within a short period of time, the source is added to the blacklist. WAF blocks or monitors the requests from the source within a specific period of time.
Directory Traversal Blocking: If a source accesses a large number of non-existent directories of a protected object within a short period of time, the source is added to the blacklist. WAF blocks or monitors the requests from the source within a specific period of time.
Scanner Blocking: Common scanners are added to the blacklist. The scanners include sqlmap, Acunetix web vulnerability scanner (AWVS), Nessus, HCL AppScan, WebInspect, Netsparker, Nikto, and RSAS. WAF blocks or monitors the requests from the scanners.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.

Create a scan protection rule template

WAF does not provide a default scan protection rule template. Before you can enable a scan protection rule, you must create a scan protection rule template.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the lower part of the Protection Rules page, click Create Template in the Scan Protection section.
Note
If no scan protection rule templates exist, you can click Configure Now in the Scan Protection card in the upper part of the Protection Rules page.

In the Create Template - Scan Protection panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Template Name	Specify a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template	Specify whether to set this template as the default template of the protection module. You can set only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no protection templates are applied.
Rule Configuration	Create a scan protection rule. The scan protection rule template supports only one set of rules. The rule set consists of the following types of rules: High-frequency Scanning Blocking If you turn on High-frequency Scanning Blocking, the following configurations automatically take effect: If an IP address (Statistical and Blocked Object) triggers the basic protection rules of a protected object more than 20 times (Trigger Threshold) and triggers more than 2 (Maximum Number of Triggered Rules) protection rules in 60 seconds (Time Range), the IP address is added to the blacklist and remains in the blacklist for 1,800 seconds (Blocking Period). WAF blocks or monitors requests that are sent from the IP address. To modify the rule configurations, click Advanced Settings. Statistics and Blocked Objects IP Address: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated during different sessions from the same client. Note WAF uses the `setcookie()` function to insert cookies that start with `acw_tc` in responses. This way, sessions from different clients are easy to identify. Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. To specify request characteristics, you can use one of the following methods: Custom Header: collects the frequency of attack requests that contain a specified header. Custom Parameter: collects the frequency of attack requests that contain a specified parameter. Custom Cookie: collects the frequency of attack requests that contain a specified cookie. Rule Details You can change the values of the following parameters: Time Range, Trigger Threshold, Blocking Period, and Maximum Number of Triggered Rules. Directory Traversal Blocking If you turn on Directory Traversal Blocking, the following configurations automatically take effect: If an IP address (Statistical and Blocked Object) requests a protected object more than 50 times (Maximum Number of Requests) and accesses more than 50 (Maximum Number of Non-existent Directories) non-existent directories in 10 seconds (Time Range), and HTTP 404 status codes comprise of 70% (HTTP 404 Status Code Percentage) of the status codes that are returned in responses, the IP address is added to the blacklist. WAF blocks or monitors requests that are sent from the IP address. To modify the rule configurations, click Advanced Settings. Statistics and Blocked Objects IP Address: collects the frequency at which attacks are initiated from the same client IP address. Session: collects the frequency at which attacks are initiated during different sessions from the same client. Note WAF uses the `setcookie()` function to insert cookies that start with `acw_tc` in responses. This way, sessions from different clients are easy to identify. Custom: collects the frequency at which attacks are initiated by objects that have the same request characteristics. To specify request characteristics, you can use one of the following methods: Custom Header: collects the frequency of attack requests that contain a specified header. Custom Parameter: collects the frequency of attack requests that contain a specified parameter. Custom Cookie: collects the frequency of attack requests that contain a specified cookie. Rule Details You can change the values of the following parameters: Time Range, Maximum Number of Requests, HTTP 404 Status Code Percentage, Blocking Period, and Maximum Number of Non-existent Directories. Scanner Blocking If you turn on Scanner Blocking, common scanners are added to the blacklist. The scanners include sqlmap, AWVS, Nessus, HCL AppScan, WebInspect, Netsparker, Nikto, and RSAS. WAF blocks or monitors requests from the scanners.
Action	Specify the action that you want WAF to perform on the requests that match the rule. Valid values: Block: blocks the requests that match the rule and returns a block page to the client. Note By default, WAF uses a unified block page. You can use the custom response feature to configure a custom block page. For more information, see Configure custom response rules to configure custom block pages. Monitor records the requests that match the rule in logs without blocking the requests. You can query logs about requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs. Important You can query logs only when Simple Log Service is enabled for WAF. For more information, see Enable or disable Simple Log Service for WAF. If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block based on your business requirements. Note On the Security Reports page, you can query the details of matched rules in Monitor mode or Block mode. For more information, see Security reports.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For information about how to associate protected objects and protected object groups with the template, see Protected objects and protected object groups.

By default, the new scan protection rule template is enabled. You can perform the following operations in the rule template list:

View the number of protected objects or protected object groups that are associated with the template.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
Click the icon to the left of the template name to view and manage the rules in the template.
- Unblock an IP address: Click Unblock IP Address to unblock an IP address that is blocked by the protection rule.
  Important
  - You can unblock only IP addresses that are blocked by high-frequency scanning blocking or directory traversal blocking rules.
  - You can unblock IP addresses only when the rule and the template are enabled.

What to do next

On the Scan Protection tab of the Security Reports page, you can view the protection details of scan protection rules. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.

References

Protection configuration overview: describes protected objects, protection modules, and protection process.
CreateDefenseTemplate: creates a protection template.
CreateDefenseRule: creates a protection rule. When you call this operation to create a scan protection rule, you must set the DefenseScene parameter to antiscan.