CC attack defense
Overview
Collapse Challenge (CC) attack, also known as HTTP/HTTPS DDoS attack. Attackers occupy the connection and session resources of Web services, causing the service to be unable to respond to user requests normally, resulting in denial of service. To avoid CC attacks, EdgeOne provides a pre-set CC attack protection strategy and enables it by default to ensure the stability of your site online.
Note:
The primary objective of CC attack protection is to ensure the availability of services. For security scenarios that do not lead to errors at the origin server or a decrease in site availability, such as resource scraping, bulk logins, and automated shopping cart orders, please fortify your security policies further by using Rate Limiting and Bot Management.
EdgeOne adopts a "clean traffic" billing model, meaning that requests intercepted by the security protection features are not charged. Charges are only applied to the traffic and request volume processed after the security protection features. For the definition of the "clean traffic" billing model, see Tencent Cloud EdgeOne.
Using Platform-Managed Rate Limiting
Platform-managed rate limiting identifies CC attacks through rate baseline learning, header feature statistical analysis, and client IP intelligence, then takes action. EdgeOne provides three pre-set CC attack protection strategies:
Adaptive frequency control: Used to deal with CC attack behavior that occupies server resources through high-frequency and large amount of concurrent connection requests, and can limit access frequency based on a single IP source.
Slow attack protection: Used to deal with CC attack behavior that occupies server resources through a large amount of slow connection requests, and can limit access connection minimum rate based on a single session, eliminating slow connection clients.
Intelligent client filtering: Integrates rate baseline learning, header feature statistical analysis, and client IP intelligence to generate real-time dynamic attack defense rules. Perform human-machine verification for requests from high-risk clients or carrying high-risk header features. Intelligent client filtering is enabled by default and executes JavaScript challenges for clients that meet the rules.
Configuring Adaptive Frequency Control
Adaptive frequency control calculates the request rate of the current domain based on the configured limitation level, establishes a rate baseline (the rate baseline is updated every 24 hours) based on the requests in the last 7 days, and combines the configured limitation level to limit the request rate of a single client accessing the domain.
Note:
Adaptive frequency control is suitable for Web-based businesses. When the site also provides API interface services, in order to prevent normal requests with higher frequency from being intercepted, it is suggested to configure exception rules for API interfaces that need to support high-frequency access, skip the CC attack protection module, and limit the API interface exposure through Custom Rate Limiting Rules configuration to avoid using moderate and emergency levels.
Directions
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Protection. By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
3. Locate the Rate Limiting tab and click Edit on the right side of Adaptive frequency control .
4. Configure the limiting level and action for high-frequency Access request limiting, with descriptions for each limiting level as follows:
Limitation Type | Limitation Level | Applicable Scenarios |
Adaptive | Loose (Default Configuration, Suggested) | Applicable to most Web business scenarios. |
| Moderate | Applicable to business scenarios with simpler page content and less dynamic data or dynamic loading content. |
| Emergency | When an attack occurs, or when other limitation levels' protection causes business impact due to bypass, you can select this limitation level for emergency protection. Since the rate limiting of this level is relatively strict, there may be false intercepted risks, and it is not recommended for long-term usage. |
Note:
The action of Adaptive Frequency Control supports observation, block and JavaScript challenge methods. For more information on different action methods, see action.
5. Click Save to complete the rule configuration.
Configure Slow Attack Protection
By limiting the minimum data rate and setting timeout, mitigate the consumption of site resources in slow transmission attack scenarios, and avoid the decline of service availability. EdgeOne slow attack protection supports content transmission timeout and minimum content transmission rate options. When the content transmission rate is slow or there is no data transmission for a long time, apply the corresponding action to the client.
Directions
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Protection. By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
3. Locate the Rate Limiting tab and click Edit on the right side of Slow attack defense .
4. Configure the matching method for slow attack protection rules, and choose from the following limitations:
Content transmission duration: Mitigate slow attacks that occupy connections without transmitting content data. Specify the content transmission timeout duration, and clients that fail to complete the transmission of the first 8KB of content data within the configured time will apply the corresponding action; the supported configuration is 5-120 seconds.
Minimum content transmission rate: Mitigate attacks that occupy connections and session resources by transmitting content at an extremely slow rate. Specify the minimum transmission rate, and when the content transmitted within the statistical time window is less than the configured rate, apply the corresponding action. The minimum supported transmission rate is 1 bps, and the maximum is 100 Kbps.
Note:
The action of Slow Attack Protection supports observation and JavaScript challenge methods. For more information on different action methods, see action.
5. Click Save to complete the rule configuration.
Intelligent Client Filtering
Integrating rate baseline learning, header feature statistical analysis, and client IP intelligence, real-time dynamic attack defense rules are generated. Human-machine identification is performed for requests from high-risk clients or carrying high-risk header features. Intelligent client filtering is enabled by default and executes a JavaScript challenge for clients that meet the rules.
Note:
Intelligent client filtering uses the business rate baseline as one of the references. Significant business changes (such as access, cut volume, new business, and new activities) may cause false interceptions. You can temporarily change the action method to observation until the business stabilizes.
Intelligent client filtering is only supported by the Standard plan and Enterprise plan.
Modify the action method for intelligent CC attack protection
If you need to modify the action method triggered by intelligent client filtering, you can follow these directions:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. Click Security > Web Protection. By default, it is a site-level security policy. To configure differentiated security policies for a specific domain name under the current site, you can enter the Domain-level security policy tab and click the corresponding domain name to enter the configuration page for the domain-level security policy. The subsequent steps are the same.
3. Locate the Rate Limiting tab and click Edit on the right side of Client filtering .
4. Configure the actions.
Note:
Intelligent client filtering supports four actions, including Disable (Not Enable) , Monitor , Block, and JavaScript Challenge. For more information on different actions, see Action.
5. Click Save to complete the rule configuration.
Note:
View the requests that match the intelligent client filtering rules. For details, see Web Security Analysis.