All Products
Search

This Product

    :Scan protection rules

    Document Center

    :Scan protection rules

    Last Updated:Sep 23, 2024

    The scan protection module detects the behavior and characteristics of automated scanners to prevent attackers or scanners from scanning websites. Attack sources are blocked or added to the blacklist. This reduces the risk of intrusions into web services and prevents undesired traffic generated by malicious scanners.

    Create a scan protection rule

    1. Log on to the ESA console.

    2. In the left-side navigation pane, click Websites.

    3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

    4. In the left-side navigation tree, choose Security > WAF. On the page that appears, click the Scan Protection Rules tab.

    5. On the Scan Protection Rules tab, click Create Rule Set.

      • Specify Rule Set Name.

      • If requests match: Specify the conditions for matching incoming requests. The scan protection rules only apply to the matched requests. For more information, see WAF.

      • Trigger the protection type…:

        Note

        Configure at least one of the High-frequency Scanning Blocking and Directory Traversal Blocking rules.

        • Configure a high-frequency scanning blocking rule

          If a source triggers basic protection rules of a protected object multiple times within a short period of time, the source is added to the blacklist. The system blocks or monitors the requests from the source within a specified period of time.

          Parameter

          Description

          Block Object

          Select the attack source type based on which statistics are collected. Valid values:

          • Cookie Value Of: collects the frequency of attack requests that contain a specific cookie.

          • Header: collects the frequency of attack requests that contain a specific header.

          • IP Source Address: collects the frequency at which attacks are initiated from the same client IP address.

          • Session: collects the frequency at which attacks are initiated over the same client session.

          • URI Query String Parameter: collects the frequency of attack requests that contain a specific parameter.

          Time Range (Seconds)

          Specify the period of time during which HTTP requests are detected.

          • Valid values: 5 to 1800.

          • Unit: seconds.

          Trigger Threshold (Times)

          Specify the maximum number of times that a statistical object can trigger the basic protection rules for the protected website within the period of time specified by Time Range (Seconds).

          Valid values: 3 to 50000.

          Triggered Rules

          Specify the maximum number of basic protection rules that can be triggered by a statistical object within the period of time specified by Time Range (Seconds).

          Valid values: 1 to 50.

          Blocking Duration (Seconds)

          Specify the period of time during which the requests from the source are blocked.

          • Valid values: 60 to 86400.

          • Unit: seconds.

        • Configure a directory traversal blocking rule

          If a source accesses a large number of non-existent directories of a protected object within a short period of time, the source is added to the blacklist. The system blocks or monitors the requests from the source within a specified period of time.

          Parameter

          Description

          Block Object

          Select the attack source type based on which statistics are collected. Valid values:

          • Cookie Value Of: collects the frequency of attack requests that contain a specific cookie.

          • Header: collects the frequency of attack requests that contain a specific header.

          • IP Source Address: collects the frequency at which attacks are initiated from the same client IP address.

          • Session: collects the frequency at which attacks are initiated over the same client session.

          • URI Query String Parameter: collects the frequency of attack requests that contain a specific parameter.

          Time Range (Seconds)

          Specify the period of time during which HTTP requests are detected.

          • Valid values: 5 to 1800.

          • Unit: seconds.

          Requests

          Specify the maximum number of requests that a single object can initiate for a single domain name within the period of time specified by Time Range (Seconds).

          Valid values: 3 to 50000.

          404 Error Rate

          Specify the maximum percentage of HTTP 404 status codes.

          • Valid values: 1 to 100.

          • Unit: %.

          Non-existent Directories

          Specify the maximum number of non-existent directories that an object is allowed to access within the period of time specified by Time Range (Seconds). The non-existent directories exclude static files such as images.

          Valid values: 2 to 50000.

          Blocking Duration (Seconds)

          Specify the period of time during which the requests from the source are blocked.

          • Valid values: 60 to 86400.

          • Unit: seconds.

        • Scanner Blocking

          WAF blocks or monitors the requests from common scanners such as sqlmap, Acunetix web vulnerability scanner (AWVS), Nessus, AppScan, WebInspect, Netsparker, Nikto, and RSAS.

      • Then execute...: Select an action that you want to execute when a request hits the rules. For more information, see WAF.

    6. Click OK.

    Feature availability

    Feature

    Basic

    Standard

    Advanced

    Enterprise

    Scan protection rules

    No

    5

    10

    20