Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Client Reputation

Overview

Malicious bots usually initiate requests through proxy pools, botnets, or specific devices. EdgeOne's client reputation analysis uses Tencent's nearly 20 years of network security experience and big data intelligence accumulation to determine the real-time state of IP, adopt scoring mechanisms, quantify risk values, and precisely identify access from malicious dynamic IPs. It accurately identifies high-risk clients, updates the latest threat intelligence every 24 hours, and provides threat confidence reports for different IP addresses. According to the different types of attack clients, it provides 5 risk classifications and confidence levels. You can help control multiple categories (network attack sources, exploited network proxy devices, vulnerability scanning tools, brute force cracking behaviors, etc.) of high-risk client access by customizing the protection strategy for each threat confidence level, reducing business risks and effectively intercepting such malicious behaviors.

Example Scenario

In the Web security analysis module, you observe that under the site api.example.com, the login interface /api/login has high-frequency access, and there are a large number of failed access requests in a short period of time. However, due to the large number of access IPs, mainly from broadband operator networks, a single IP request is only 1-2 times. Judging from the access features, it is suspected that dial-up IPs are used for brute force cracking login attempts. To strengthen the security policy, we suggest intercepting higher confidence network proxy clients and setting medium confidence clients to observe.

Directions

1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site to enter the site details page.
2. Click Security > Web Security . By default, it is a site-level security policy. Click the Domain-level security policy tab and then click the target domain name such as shop.example.com , to enter the configuration page for the security policy of the target domain name.
3. Locate the Bot Management tab and click Edit under Client reputation to enter the configuration page.

4. Client reputation is classified into network attack, network proxy, scanner, account takeover attack, and malicious bot. For different client types, you can select the corresponding action based on the client credibility level. In this example scenario, dial-up IPs belong to a typical network proxy client. When high-frequency access from dispersed IPs is monitored at the site, you can block high-credibility network proxy clients, and set the action to Monitor for moderate-credibility clients.

5. Click OK to complete the configuration.

Related References

Risk Classification

Client reputation analysis is based on real-time threat intelligence libraries and can effectively identify clients with the following 5 types of malicious behavior history:
Network attack: Clients with recent attack behavior (such as DDoS, high-frequency malicious requests, site attacks, etc.). For example, attacks initiated by the Mirai botnet can be classified into this category.
Network proxy: Clients that have recently opened suspicious proxy ports and have been used as network proxies, including dial-up IP proxy pools and IoT proxy networks used to initiate malicious requests.
Scanner: Clients with recent scanner behavior targeting known vulnerabilities. For example, vulnerability scanning tools for Web applications.
Account takeover attack: Clients with recent malicious login cracking and account takeover attack behavior. For example, attackers who use brute force to crack user login credentials.
Malicious bot: Clients with recent malicious bot, hotlinking, and brute force cracking behaviors. For example, illegal bots that collect website content.

Credibility Level

For each category of client reputation rules, each credibility level corresponds to a client address list. The credibility level reflects the frequency and consistency of the client address's recent malicious behavior in that category:
Higher credibility: The client address has recently engaged in stable, high-frequency malicious behavior in that category. It is recommended to intercept such clients.
Moderate credibility: The client address has recently engaged in significant frequency malicious behavior in that category. It is recommended to configure such clients for JavaScript challenge or observation.
General credibility: The client address has recently engaged in stable malicious behavior in that category. It is recommended to configure this type of client as an observation, and then adjust it to a JavaScript challenge or a hosting challenge based on the analysis results.