The bot threat intelligence feature provides information about suspicious IP addresses used by dialers, on-premises data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers. You can configure bot threat intelligence rules to prevent malicious crawlers from accessing all pages under your domain name or specific directories.
- A WAF instance is purchased, and the Bot Manager feature is enabled.
- Your website is added to WAF. For more information, see Tutorials.
- Log on to the WAF console.
- In the top navigation bar, select the resource group and the region to which the WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
- In the left-side navigation pane, choose .
- In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist.
- Click the Bot Management tab, find the Bot Threat Intelligence section. Then, turn on Status and click Settings. Note After the bot threat Intelligence feature is enabled, all requests destined for your website are checked by the feature. You can configure the bot management allowlist so that the requests that match required conditions bypass the check of the feature. For more information, see Configure a whitelist for Bot Management.
- In the Bot Threat Intelligence rule list, find the threat intelligence library you want to use, and turn on the switch in the Status column.The following table lists the bot threat intelligence libraries that WAF supports.
In scenarios in which two-factor authentication cannot be implemented, we recommend that you configure threat intelligence rules based on the low-severity library.
IDC IP Lists These libraries contain IP addresses of public clouds and on-premises data centers, including Alibaba Cloud, Tencent Cloud, Meituan Open Services, and 21Vianet. Attackers typically use CIDR blocks of public clouds or on-premises data centers to deploy crawlers or as proxies to access websites. Regular users rarely access websites in this way.After you enable a default rule, WAF performs the Monitor action on requests initiated from IP addresses in the threat intelligence library that correspond to the rule to the directories of the protected domain name. This action allows the requests to the destination directories and records the requests in logs.
If you need to modify a default rule, see the following section on how to configure a custom threat intelligence rule. For example, if you want to specify the protected URL or action, see the following section, step7.
- Optional:Configure a custom threat intelligence rule.
- Find the rule that you want to modify and click Edit in the Actions column.
- In the Edit Intelligence dialog box, configure the following parameters.
Parameter Description Protected Path The URL that you want to protect, such as /abc, /login/abc, or forward slash (/) that indicates all directories. You also need to select a value for Matching. Valid values:
- Precise Match: The destination URL must be an exact match of the protected URL.
- Prefix Match: The prefix of the destination URL matches the protected URL.
- Regular Expression Match: The destination URL matches the specified regular expression of the protected URL.
You can click Add Protected URL to add more URLs. You can add up to 10 URLs.
Action The action that you want to perform after the match conditions of the rule are met. Valid values:
- Monitor: allows requests to the destination directory and records the requests in logs.
- Block: blocks requests to the destination directory.
- Captcha: requires a client to perform slider CAPTCHA verification. Requests are forwarded to the destination directory only after the client passes the verification. Note Slider CAPTCHA supports only synchronous requests. To verify asynchronous requests, such as Ajax requests, contact the Alibaba Cloud security team. If you cannot determine whether the protected URL supports slider CAPTCHA, we recommend that you create an IP address or URL-based custom protection policy (ACL) to run a test. For more information, see Create a custom protection policy.
- Strict Captcha: requires a client to perform strict slider CAPTCHA verification. The request is forwarded to the destination directory only after the client passes the verification. Strict slider CAPTCHA verification has a stricter standard to verify visitor identities.
- Click OK.