Configuration of Scan Protection

Article Overview

In offensive and defensive scenarios, attackers often use automated tools or specific methods to perform vulnerability scans on the target and launch targeted attacks. Deploying scan protection at an early stage can increase the difficulty and cost for attackers, thereby enhancing overall security effectiveness.

Scan protection includes the following two sub-features:

• Scan Tool Detection: Detects request characteristics of common scanning tools (such as AWVS, Nessus, AppScan, Rsas, and Sqlmap) and blocks requests based on these signatures.
• Repeated Violation Detection: By tracking the types and number of times a particular object violates WAF built-in rules within a specific period, suspicious scanning behavior can be identified, and corresponding actions can be taken against that object.

Configuration Scenarios

The scan protection feature is applicable to the following scenarios:

• Directly intercept requests with scanning characteristics to avoid exposing website vulnerabilities.
• Block persistent penetration attempts by malicious attackers and prevent the exploitation of unknown website vulnerabilities.

Procedure

1. Log in to the Wangsu console, locate the enabled security product under your subscribed services, and click to enter.
2. Go to the Protection Configuration > Security Policy page.
3. Locate the Domain that requires security policy configuration, click the Edit button to enter the security policy editing page.
4. Select the WAF > Scan Protection tab.

Enable scanning tool detection

• Set the action to ‘Block’ or ‘Monitor’.
• Click Deploy to apply the configuration.

Enable repeated violation detection

• Set the action to either “Block” or “Monitor”.
• Set the statistical object; you can select “IP” or “IP+JA3 fingerprint”.
• Set the statistical period for repeated violation detection.
• Configure the threshold for the number of WAF built-in rule types that block each statistical object within the statistical period.
• Configure the threshold for requests blocked by WAF built-in rules for each statistical object within the statistical period.
• Set the duration for the action to be applied.
• Click Deploy to apply the configuration.

Disable scan tool detection

• Set the action to ‘Not Used’.
• Click Deploy to apply the configuration.

Disable Repeated Violation Detection

• Set the action to ‘Not Used’.
• Click Deploy to apply the configuration.