CC Protection Settings

Last updated: 2020-12-21 15:35:32

    Feature Overview

    CC protection can safeguard the access to specified URLs. CC protection settings 2.0 is upgraded with smart CC protection and custom CC rules. Smart CC protection can perform big data analysis on websites' access history and their real servers' exceptional response such as timeout and response delay to generate protection policies for emergencies, blocking frequent access requests in real time. Custom CC rules support customizing protection rules based on user access source IPs or SESSION frequency to handle access by blocking, setting alarms, or CAPTCHA.

    Note:

    • Smart CC protection and custom CC rules cannot be enabled at the same time.
    • SESSION must be set before using the session-based CC protection policy.

    Configuration Steps

    Example 1. Smart CC protection configuration

    Smart CC protection is disabled by default. Before enabling it, please make sure that the custom CC rules feature is disabled.

    1. Log in to the WAF Console, select Web Application Firewall > Defense settings on the left sidebar, find the target domain name in the Domain Name List, and click Defense configuration.
    2. Click CC protection settings 2.0 to configure smart CC protection.

    Configuration item description:
    Status switch: after smart CC protection is enabled, if a website is under massive CC attacks (with a website QPS of 1,000 or above), the protection will be automatically triggered. If there are no specific protection paths, we recommend you enable smart CC protection. As there may be some false alarms, you can click IP management > IP Blocking On/Off on the left sidebar to view the information of blocked IPs and handle them in time.

    Note:

    If there are specific protection paths, we recommend you use custom CC rules.

    Example 2. Access source IP-based CC defense settings

    An IP-based CC protection policy can be directly configured without setting SESSION.

    1. Log in to the WAF Console, select Web Application Firewall > Defense settings on the left sidebar, find the target domain name in the Domain Name List, and click Defense configuration.

    2. Click CC protection settings 2.0 > Add a Rule.

    3. Enter the rule details in the pop-up window.

      • Configuration item description:
      • Recognition Mode: "IP" or "SESSION".
      • Condition: "equal", "prefix matches with", or "includes".
      • Advanced match: filters access with GET and POST form parameters to control the frequency in a more refined manner and increase the hit rate.
        • Field: specifies the request method, which can be GET or POST.
        • Parameter name: parameter name in a request field, which can contain up to 512 characters.
        • Parameter value: parameter value in a request field, which can contain up to 512 characters.
        • Note:* the 3 test entries for GET request are as follows: a=1&b=11, a=2&b=12, and a=&b=13.
          • If the parameter name of a GET configuration is a, and the parameter value is 1, then 1 will be hit.
          • If the parameter name of a GET configuration is a, the parameter value is \*, then 1, 2, and 3 will be hit.
      • Access frequency: sets the access frequency based on actual business requirements. We recommend you set a value 3 to 10 times the normal access frequency. For example, if your website is accessed 20 times per minute per visitor, you can set the access frequency to 60 to 200 times per minute, which can be further adjusted based on the attack severity.
      • Action: "Observation", "Verify identity", or "Block".
      • Punishment period: 1 minute to 1 week.
      • Priority: enter an integer between 1 to 100. A smaller integer indicates a higher action priority for this rule. When the priority is the same, the later a rule is created, the higher its priority.
    4. You can select a created rule and disable, modify, or delete it.

    5. Conduct test CC attacks based on the rule settings.

    6. View real-time IP blocking information. Click IP management > IP Blocking On/Off on the left sidebar to view the information of blocked IPs in real time and add these IPs to the blocklist or allowlist as needed.

    Example 3. Session-based CC defense settings

    CC protection based on session access frequency effectively resolves false positive problems that may occur when the same IP egress is used by multiple users in office buildings, stores, supermarkets, and other public Wi-Fi networks.

    1. Log in to the WAF Console, select Web Application Firewall > Defense settings on the left sidebar, find the target domain name in the Domain Name List, and click Defense configuration.

    2. Click CC protection settings 2.0 > Settings to set SESSION information.

    3. On the SESSION Settings page, enter the required information. In this example, a cookie is used as the test object, whose ID is security, start position is 0, and end position is 9. After completing the settings, click Set.

      • Configuration item description:
      • SESSION Position: "COOKIE", "GET", or "POST". Here, GET and POST are HTTP request content parameters rather than HTTP header information.
      • Note: "Position Match" or "String Match".
      • SESSION ID: session ID.
      • Start Position: position where string or position match starts.
      • End Position: position where string or position match ends.
      • GET/POST example:
        Assume that the complete parameter content in a request is key_a = 124&key_b = 456&key_c = 789, then:
      • In string match mode, if the session ID is key_b = and the end character is &, then the matched content will be 456.
      • In position match mode, if the session ID is key_b, the start position is 0, and the end position is 2, then the matched content will be 456.
      • COOKIE example:
        Assume that the complete cookie content in a request is cookie_1 = 123;cookie_2 = 456;cookie_3 = 789, then:
      • In string match mode, if the session ID is cookie_2 = and the end character is ;, then the matched content will be 456.
      • In position match mode, if the session ID is cookie_2, the start position is 0, and the end position is 2, then the matched content will be 456.
    4. Click Test to test the session information.

    5. Go to the SESSION Settings page and set the content to security = 0123456789. Then, WAF will use the 10 characters following security as the session ID. You can also delete or reconfigure the session information.

    6. Set a session-based CC protection policy as instructed in example 1, but select "SESSION" as the recognition mode.

    7. After the configuration is completed, the session-based CC protection policy will take effect.

      Note:

      If you use session-based CC protection, you cannot view IP blocking information in the IP blocking status section.

    Next: Anti-Tampering

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help