Mitigate Web Scanning Tutorial

There are many scanner tools published on the Internet, and less technical requirements are required to lunch a scanning activiy, therefore the cost is very low. Attackers can easily utilize automated tools to quickly scan the target network for open ports and vulnerabilities for potential attacks.

Scenario 1: Web vulnerability scanning protection

Example: The website www.new.com is a newly launched website, so many attackers are trying to scan vulnerabilities. To prevent potential attacks, a combanition WAF protection policies should be applied, including:

1. Blocking client IP directly for 10 minutes if it is denied by WAF managed rules for more than 5 times within 10 seconds.
2. Denying client IP requests for 10 minutes if the received number of response code 404 is more than 100 times within 10 seconds.

By default, WAF managed rules can recognize the scan behaviors and scanner characteristics, just need to confirm the WAF protection is enabled. Other policies can be configured as follow:

Mitigation 1 - Configure attacker IP punishment

Directly blocking scanner IP to prevent website vulnerabilities from being exposed.

1. Create attacker IP punishment rule

1. Navigate to the Security > Policies
2. Find the hostname “www.new.com”, click .
3. Go to WAF > Attacker IP Punishment tab.
4. Confirm Protection Mode is Block.

2. Configure and enable the rule

1. Configure Match Conditions: select Object as “All Paths”, or you can specify the pathes you want to protect.
2. Configure Trigger Condition: “Within 10 seconds", client IP is blocked by WAF managed rules of “Select all the WAF attack types” for more than “5 times”.
3. Configure Action Expiration Time “10 minutes”.
4. Configure Action as “Deny”.
5. Click Public Change, then Publish to Protection.

Mitigation 2 - Configure response code rate limiting

1. Create rate-liming rule

1. Navigate to the Security > Policies.
2. Find the hostname “www.new.com”, click .
3. Go to Rate Limiting tab.
4. Click Create below the part Rules for Current Hostname, or you can Go to Shared Configuration page if you plan to apply the policy to multiple hostnames.

2. Configure and enable the rule

1. Configure Protected Target: select “Website”.

2. Configure Match Conditions: select Object as “Response Code”, Operatoer as “equals”, and type the content “404”.

3. Configure Counts: select Client Identifier as “Client IP”, Thigger Condition as “Within 10 seconds, the 100th request starts the action.”, Action as “Deny”, and set the Action Expiration Time “600 seconds”, finally set the Effective Time Period as “All Time”.

4. Click Confirm to create this rule.

5. Click Public Change, then Publish to Protection.