Overview
Menu

CC attack defense

Overview

Collapse Challenge (CC) attack, also known as HTTP/HTTPS DDoS attack. Attackers occupy the connection and session resources of Web services, causing the service to be unable to respond to user requests normally, resulting in denial of service. To avoid CC attacks, EdgeOne provides a pre-set CC attack protection strategy and enables it by default to ensure the stability of your site online.
Note:
The primary objective of CC attack protection is to ensure the availability of services. For security scenarios that do not lead to errors at the origin server or a decrease in site availability, such as resource scraping, bulk logins, and automated shopping cart orders, please fortify your security policies further by using Rate Limiting and Bot Management.
EdgeOne adopts a "clean traffic" billing model, meaning that requests intercepted by the security protection features are not charged. Charges are only applied to the traffic and request volume processed after the security protection features. For the definition of the "clean traffic" billing model, see Tencent Cloud EdgeOne.

Using CC Attack Protection

CC attack protection identifies CC attacks through rate baseline learning, header feature statistical analysis, and client IP intelligence, then takes action. EdgeOne provides three pre-set CC attack protection strategies:
High-frequency access request restriction: Used to deal with CC attack behavior that occupies server resources through high-frequency and large amount of concurrent connection requests, and can limit access frequency based on a single IP source.
Slow attack protection: Used to deal with CC attack behavior that occupies server resources through a large amount of slow connection requests, and can limit access connection minimum rate based on a single session, eliminating slow connection clients.
Intelligent client filtering: Integrates rate baseline learning, header feature statistical analysis, and client IP intelligence to generate real-time dynamic attack defense rules. Perform human-machine verification for requests from high-risk clients or carrying high-risk header features. Intelligent client filtering is enabled by default and executes JavaScript challenges for clients that meet the rules.

Configuring High-frequency Access Request Restriction

The high-frequency access request limiting rule calculates the request rate of the current domain based on the configured limitation level, establishes a rate baseline (the rate baseline is updated every 24 hours) based on the requests in the last 7 days, and combines the configured limitation level to limit the request rate of a single client accessing the domain.
Note:
High-frequency access request restriction is suitable for Web-based businesses. When the site also provides API interface services, in order to prevent normal requests with higher frequency from being intercepted, it is suggested to configure exception rules for API interfaces that need to support high-frequency access, skip the CC attack protection module, and limit the API interface exposure through rate limiting configuration to avoid using moderate, attack emergency, and strict restriction levels.

Directions

1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. On the site details page, click Security > Web protection, enter the detail page of Web Protection, and in the domain list on the left side, select the domain that needs to enable protection.



3. Find the CC attack protection card and click on setting. Enter the CC attack protection Configuration page, and click on the edit button next to the high-frequency Access request limiting.
4. Configure the limiting level and action for high-frequency Access request limiting, with descriptions for each limiting level as follows:
Limitation Type
Limitation Level
Applicable Scenarios
Rate Limitation
Initial Rate Limiting
Adaptive
Loose (Default Configuration, Suggested)
Applicable to most Web business scenarios.
No limitation
At least 7000 times/minute
2000 times/5 seconds
Moderate
Applicable to business scenarios with simpler page content and less dynamic data or dynamic loading content.
1200-2400 times/minute
200 times/10 seconds
Attack Emergency
When an attack occurs, or when other limitation levels' protection causes business impact due to bypass, you can select this limitation level for emergency protection. Since the rate limiting of this level is relatively strict, there may be false intercepted risks, and it is not recommended for long-term usage.
60-1200 times/minute
40 times/10 seconds
Note:
The action supports observation and JavaScript challenge methods. For more information on different action methods, see action.
5. Click save to complete the rule configuration.

Configure Slow Attack Protection

By limiting the minimum data rate and setting timeout, mitigate the consumption of site resources in slow transmission attack scenarios, and avoid the decline of service availability. EdgeOne slow attack protection supports content transmission timeout and minimum content transmission rate options. When the content transmission rate is slow or there is no data transmission for a long time, apply the corresponding action to the client.

Directions

1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. On the site details page, click on security > Web Protection to enter the Web Protection details page. On the left side of the page, select the domain that needs to be protected from the domain list.

3. Find the CC attack protection card and click on the setting. Enter the CC attack protection configuration page and click on the edit button on the right side of the slow attack protection.
4. Configure the matching method for slow attack protection rules, and choose from the following limitations:
Content transmission duration: Mitigate slow attacks that occupy connections without transmitting content data. Specify the content transmission timeout duration, and clients that fail to complete the transmission of the first 8KB of content data within the configured time will apply the corresponding action; the supported configuration is 5-120 seconds.
Minimum content transmission rate: Mitigate attacks that occupy connections and session resources by transmitting content at an extremely slow rate. Specify the minimum transmission rate, and when the content transmitted within the statistical time window is less than the configured rate, apply the corresponding action. The minimum supported transmission rate is 1 bps, and the maximum is 100 Kbps.

Note:
The action supports observation and JavaScript challenge methods. For more information on different action methods, see action.
5. Click save to complete the rule configuration.

Intelligent CC Protection

Integrating rate baseline learning, header feature statistical analysis, and client IP intelligence, real-time dynamic attack defense rules are generated. Human-machine identification is performed for requests from high-risk clients or carrying high-risk header features. Intelligent client filtering is enabled by default and executes a JavaScript challenge for clients that meet the rules.
Note:
Intelligent client filtering uses the business rate baseline as one of the references. Significant business changes (such as access, cut volume, new business, and new activities) may cause false interceptions. You can temporarily change the action method to observation until the business stabilizes.
Intelligent client filtering is only supported by the Standard plan and Enterprise plan.

Modify the action method for intelligent CC attack protection

If you need to modify the action method triggered by intelligent client filtering, you can follow these directions:
1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site.
2. In the site details page, click on Security > Web Protection to enter the Web Protection details page. On the left side of the page, select the domain that needs to be protected from the domain list.

3. Find the CC attack protection card and click on the setting. Enter the CC attack protection configuration page and click on the setting protection state button on the right side of the intelligent client filtering.

4. Modify the action method for the matching rules, which supports Off (not enabled), observation, and JavaScript challenge. For details on different action methods, please refer to the action section.

5. Click save to complete the rule configuration.

View or release the blocked client list

If you need to view the client list blocked by intelligent client filtering, you can follow these directions:
1. Log in to the EdgeOne console, click on the site list in the left menu bar, and click on the site that needs to be configured to enter the site details page.
2. In the site details page, click on security protection > Web Protection to enter the Web Protection details page. On the left side of the page, select the domain that needs to be protected from the domain list.

3. Find the CC attack protection card and click on the setting. Enter the CC attack protection configuration page and click on the view blocked clients button on the right side of the intelligent client filtering.

4. In the blocked clients page, click on the add to allowlist button in the operation column to quickly configure the IP as an exception rule.