Protection

How to Set Up Traffic Protection and Filtering: Sensors, Lists, and Advanced Rules

Once the service is activated, it will appear on the main page of your account as well as under the My Services section. To begin configuring it, just click on the service name, and you’ll be directed to the settings panel.

In the settings, locate the object you wish to configure and click on its row, where you’ll see a small graph thumbnail.

In the left menu, select the Protection item.

On the page that opens, you can configure the parameters:

Protection mode

  1. Sensor

The sensor monitors the total number of requests, spikes, and errors while the filters remain in a passive state. If an attack is detected, the sensor activates the filters to suppress it. The sensor’s response time typically does not exceed 1 minute, but it may vary depending on the intensity of the attack.

  1. Redirect

For visitor requests, additional redirection to the requested location is applied.

  1. JS validation

For requests from regular IP addresses, validation is performed using JavaScript.

  1. JS advanced validation

For requests from regular IP addresses, advanced validation using JavaScript is applied.

  1. Captcha

A request to the site will require passing a Captcha for validation.

Proactive protection

The protection is based on the use of a positive usage model. Any users whose behavior does not conform to this model can be blocked or subjected to additional checks (depending on the settings established).

When proactive protection is activated in sensor mode, all requests are not filtered, but each new visitor is checked against many parameters:

  • Visited site locations;
  • Whether keepalive connections were used;
  • Presence of attacks on other sites;
  • Whether request limits are exceeded;
  • Which User Agents are used;
  • Other signs.

In case violations are detected, the user’s behavior is monitored. Selective validation allows not to switch the entire configuration into active mode.

To enhance security, you can limit user session duration. Shorter session lifetimes reduce the window of opportunity for unauthorized actions if someone gains illicit access to the resource.

When the configured time elapses, users will be re-authenticated. By default, this parameter is set to 30 minutes.

Clicking the Generate new security key button will require all active users to revalidate their sessions.

Note: The lifetime of cookies used by the security system does not affect website session durations. The system makes no modifications to the website’s original cookies.

Whitelist

Requests from the addresses specified here will be transmitted without filtering.

Click on the Add IP button and fill out the form to add a new address to the list. You can upload addresses in a “.txt” file format, with each address printed on a separate line.

You can add addresses one at a time (for example, 8.8.8.8) or enter a network with a mask into the list (for example, 8.8.8.0/24).

Blacklist

A user with an address from this list will receive an “HTTP 403 Forbidden” error when trying to access your resource. You can add a new address to the list in a manner similar to the Whitelist.

Greylist

For individual IPs or subnets specified in this list, you can assign a unique protection method, different from that for other addresses. You can add a new address to the list following the same procedure as for the Whitelist.

Geolocation Filter

Here, you can restrict access to your resource based on the visitor’s country of origin.

Click on the Add country button and fill out the form. The countries are provided in a dropdown list.

It is permissible to add no more than 15 countries in one rule when using L3 and L7 filtering without SSL decryption. For L7 filtering with SSL decryption, there are no restrictions on the number of countries.

All added parameters will appear on the form. You can assign a specific protection level to any countries selected from the added list.

The protection level escalates incrementally from the current state:

  • SENSOR
  • REDIRECT
  • JS
  • JSA
  • CAPTCHA
Example

If the current protection method is REDIRECT:

  • Selecting “Increase protection by 1 point” will switch to JS
  • Selecting “Increase protection by 2 point” will activate JSA

    • Exceptions by location

    For certain requests, it is possible to disable the use of interactive checks. For example, if only bots or mobile applications access a specific server resource, having a check in place could lead to disruptions in the client service’s operation. Specify such local resources in the Location Exceptions section.

    A request will be sent to the whitelist if its path to your resource contains a segment specified in this setting.

    For example, when adding the path “/location” to the whitelist, requests such as the following will be executed without additional checks:

    • site.com/location
    • site.com/location/
    • site.com/location.php
    • site.com/location.php?id=123
    • site.com/admin/location

    Meanwhile, requests such as the following will be processed according to general rules:

    • site.com/some-other-location
    • site.com/en_location.php

    Click on the Add location button and fill out the form that appears.

    You can create rules to block requests with a specific header as well as rules that allow them.

    This functionality will be relevant when using APIs (requests are made by a separate application). You can specify either a single header or a combination of several.

    Click on the Add rule button and fill out the form.

    Location filter

    You can set up filtering for different locations of your resource.

    Click on the Add rule button and complete the form.

    Advanced settings

    Experienced users can independently configure a wide range of sensor parameters.

    You have the option to configure:

    • L7 sensor setting

    In the first column, you can adjust parameters for attack detection:

    • Traffic Increase: The factor by which the number of requests must increase over a short period of time to switch to active protection mode.

    For example, the number “3” in this field will mean that the protection will be activated if the number of requests triples over the last 15 minutes.

    • Errors Part: The percentage of erroneous requests that, once reached, will trigger the filters to switch to active mode.

    For example, the number “30” in this area means that if the proportion of errors with “500” series codes exceeds the set value (30%), protective measures will be activated.

    • Set Min RPS: The value below which “Traffic Increase” and “Errors Part” checks will not be performed.
    • Max RPS Threshold: The number of requests that, when exceeded, triggers the switch to active mode.
    • Max Attack Lifetime (sec): The time after the start of an attack after which the filter will attempt to switch back to sensor mode.

    Here, you can specify the duration for which countermeasures against an attack are activated upon its detection, regardless of whether it has ceased or is continuing. This is a relevant parameter for combating attacks that are sporadic over time.

    • Max Defence Status: The maximum type of protection during automatic trigger operations.
    • Start Defence Status: The type of protection that will be set when the filter initially switches from sensor mode to active mode.
    • L7 block rules

    In the second column, you can set values to detect bot activity.

    If a certain IP address sends more requests than specified in the “RPS Limit” field, and a higher percentage of those are blocked than the percentage specified in the “Block Limit” (“Uniformity Location”), then that IP address will be added to a “grey” list of addresses.

    • Blocked part
      • Block Limit (%)
      • RPS Limit
    • Location diversity
      • Uniformity Location (%)
      • RPS Limit
    • Firewall block rules

    In the third column, the parameters of the firewall are presented.

    Here, you can configure threshold values at the network level to block traffic from certain nodes, subnets, and networks without activating application-level filtering mechanisms.

    • Ban RPS threshold

    If a parameter is exceeded, then the IP address is blocked without additional checks.

    • Blocked part L3 (%)

    If the “RPS Limit” value is exceeded and the proportion of blocked requests from that IP address surpasses the “Block Limit”, then the address is blocked.

    • Block Limit (%)
    • RPS Limit