tencent cloud

Feedback

CC attack defense

Last updated: 2023-07-28 14:35:46

    Overview

    Collapse Challenge (CC) attack, also known as HTTP/HTTPS DDoS attack. Attackers occupy the connection and session resources of Web services, causing the service to be unable to respond to user requests normally, resulting in denial of service. To avoid CC attacks, EdgeOne provides a pre-set CC attack protection strategy and enables it by default to ensure the stability of your site online.
    Note:
    1. Attack protection aims to ensure business availability and mitigate the decline in origin access quality caused by malicious resource occupation.
    2. If you need to limit access to sensitive interfaces or mitigate business abuse, please formulate a strategy in conjunction with the rate limiting.
    3. If you need to manage bot and automated tool access, please specify a strategy in conjunction with Bot Management.

    Using CC Attack Protection

    CC attack protection identifies CC attacks through rate baseline learning, header feature statistical analysis, and client IP intelligence, then takes action. EdgeOne provides three pre-set CC attack protection strategies:
    High-frequency access request restriction: Used to deal with CC attack behavior that occupies server resources through high-frequency and large amount of concurrent connection requests, and can limit access frequency based on a single IP source.
    Slow attack protection: Used to deal with CC attack behavior that occupies server resources through a large amount of slow connection requests, and can limit access connection minimum rate based on a single session, eliminating slow connection clients.
    Intelligent client filtering: Integrates rate baseline learning, header feature statistical analysis, and client IP intelligence to generate real-time dynamic attack defense rules. Identify human-machine for requests from high-risk clients or carrying high-risk header features. Intelligent client filtering is enabled by default and executes JavaScript challenges for clients that meet the rules.

    Configuring High-frequency Access Request Restriction

    High-frequency access request restriction rules limit the access rate of the domain based on the configured restriction level. Restriction levels provide two types: adaptive type and fixed type.
    Adaptive type: Calculate the current domain's request rate, establish a rate baseline based on the requests in the last 7 days (rate baseline is updated every 24 hours), and limit the access rate of a single client to the domain based on the configured restriction level.
    Fixed type: Limit the access rate of a single client to the domain based on a fixed threshold.
    Note:
    High-frequency access request restriction is suitable for Web-based businesses. When the site also provides API interface services, in order to prevent normal requests with higher frequency from being intercepted, it is suggested to configure exception rules for API interfaces that need to support high-frequency access, skip the CC attack protection module, and limit the API interface exposure through rate limiting configuration to avoid using moderate, attack emergency, and strict restriction levels.

    Directions

    1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
    2. On the site details page, click Security > Web protection,enter the detail page of Web Protection, and in the domain list on the left side, select the domain that needs to enable protection.
    
    
    
    3. Find the CC attack protection card and click on setting. Enter the CC attack protection Configuration page, and click on the edit button next to the high-frequency Access request limiting.
    4. Configure the limiting level and action for high-frequency Access request limiting, with descriptions for each limiting level as follows:
    Limitation Type
    Limitation Level
    Applicable Scenarios
    Rate Limitation
    Initial Rate Limiting
    Adaptive
    Loose (Default Configuration, Suggested)
    Applicable to most Web business scenarios.
    No limitation
    At least 7000 times/minute
    2000 times/5 seconds
    Moderate
    Applicable to business scenarios with simpler page content and less dynamic data or dynamic loading content.
    1200-2400 times/minute
    200 times/5 seconds
    Attack Emergency
    When an attack occurs, or when other limitation levels' protection causes business impact due to bypass, you can select this limitation level for emergency protection. Since the rate limiting of this level is relatively strict, there may be false intercepted risks, and it is not recommended for long-term usage.
    60-1200 times/minute
    50 times/5 seconds
    Note:
    The action supports observe and JavaScript challenge methods. For more information on different action methods, please refer to: action.
    5. Click save to complete the rule configuration.

    Configure Slow Attack Protection

    By limiting the minimum data rate and setting timeout, mitigate the consumption of site resources in slow transmission attack scenarios, and avoid the decline of service availability. EdgeOne slow attack protection supports content transmission timeout and minimum content transmission rate options. When the content transmission rate is slow or there is no data transmission for a long time, apply the corresponding action to the client.

    Directions

    1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
    2. On the site details page, click on security > Web Protection to enter the Web Protection details page. On the left side of the page, select the domain that needs to be protected from the domain list.
    
    
    
    3. Find the CC attack protection card and click on the setting. Enter the CC attack protection configuration page and click on the edit button on the right side of the slow attack protection.
    4. Configure the matching method for slow attack protection rules, and choose from the following limitations:
    Content transmission duration: Mitigate slow attacks that occupy connections without transmitting content data. Specify the content transmission timeout duration, and clients that fail to complete the transmission of the first 8KB of content data within the configured time will apply the corresponding action; the supported configuration is 5-120 seconds.
    Minimum content transmission rate: Mitigate attacks that occupy connections and session resources by transmitting content at an extremely slow rate. Specify the minimum transmission rate, and when the content transmitted within the statistical time window is less than the configured rate, apply the corresponding action. The minimum supported transmission rate is 1 bps, and the maximum is 100 Kbps.
    
    
    
    5. Click save to complete the rule configuration.
    Note:
    The action supports observe and JavaScript challenge methods. For more information on different action methods, please refer to: action.

    Intelligent CC Protection

    Integrating rate baseline learning, header feature statistical analysis, and client IP intelligence, real-time dynamic attack defense rules are generated. Human-machine identification is performed for requests from high-risk clients or carrying high-risk header features. Intelligent client filtering is enabled by default and executes a JavaScript challenge for clients that meet the rules.
    Note:
    Intelligent client filtering uses the business rate baseline as one of the references. Significant business changes (such as access, cut volume, new business, and new activities) may cause false interceptions. You can temporarily change the action method to observation until the business stabilizes.

    Modify the action method for intelligent CC attack protection

    If you need to modify the action method triggered by intelligent client filtering, you can follow these directions:
    1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
    2. In the site details page, click on Security > Web Protection to enter the Web Protection details page. On the left side of the page, select the domain that needs to be protected from the domain list.
    
    
    
    3. Find the CC attack protection card and click on the setting. Enter the CC attack protection configuration page and click on the setting protection state button on the right side of the intelligent client filtering.
    
    
    
    4. Modify the action method for the matching rules, which supports Off (not enabled), observation, and JavaScript challenge. For details on different action methods, please refer to the action section.
    
    
    
    5. Click save to complete the rule configuration.

    View or release the blocked client list

    If you need to view the client list blocked by intelligent client filtering, you can follow these directions:
    1. Log in to the EdgeOne console, click on the site list in the left menu bar, and click on the site that needs to be configured to enter the site details page.
    2. In the site details page, click on security protection > Web Protection to enter the Web Protection details page. On the left side of the page, select the domain that needs to be protected from the domain list.
    
    
    
    3. Find the CC attack protection card and click on the setting. Enter the CC attack protection configuration page and click on the view blocked clients button on the right side of the intelligent client filtering.
    
    
    
    4. In the blocked clients page, click on the add to allowlist button in the operation column to quickly configure the IP as an exception rule.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support