Configuring attack thresholds
Attack thresholds are a type of threshold configuration that caps the total number of attack signals that can be seen from an IP address before the Next-Gen WAF flags that IP address. Once flagged, subsequent requests that are from the flagged IP address and that are tagged with an attack signal are blocked or logged depending on the Agent mode (also known as Protection mode) setting. This type of configuration targets attackers’ ability to use scripting and tooling.
For each attack threshold, you can adjust the attack signals cap (otherwise known as the threshold). If you'd like a different threshold for an individual attack signal, you can add a site alert (also known as a signal threshold).
How attack thresholds works
Attack thresholds monitor and flag IP addresses that exhibit repeat malicious behavior and then handle requests from the flagged IP addresses.
Flagging occurs when enough attacks are seen from a single IP address. More explicitly, we count the number of attack signals per IP address, and when this number reaches one of the attack thresholds, we flag and blocklist the IP address.
After an IP address has been flagged, subsequent requests that are from the flagged IP address and that are tagged with an attack signal are either blocked or logged depending on the Agent mode (Protection mode) setting. Specifically, requests with an attack signal are blocked when the setting is set to Blocked and logged when set to Not Blocking (also known as Logging).
By default, malicious traffic from the IP address is blocked or logged for 24 hours. If you have access to the Next-Gen WAF control panel, you can change the default time that blocklisted IP addresses are blocked by updating the blockDurationSeconds field via our API.
Limitations and considerations
When working with attack thresholds, keep the following things in mind:
- Requests that have only been tagged with anomaly and custom signals are not counted towards flagging thresholds.
- When an IP address is flagged by any Next-Gen WAF customer, we record that IP address as a known potential bad actor and make its status known across our whole network by tagging it with the SigSci Malicious IPs (
SigSci IP) anomaly signal. - You can override the attack thresholds for individual attack signals by creating site alerts (signal thresholds).
Adjusting attack thresholds
The default attack thresholds are based on historical patterns that we've seen across all customers.
| Interval | Threshold | Frequency of check |
|---|---|---|
| 1 minute | 50 | Every 20 seconds |
| 10 minutes | 350 | Every 3 minutes |
| 1 hour | 1,800 | Every 20 minutes |
To raise or lower the attack thresholds, complete the following steps:
- Next-Gen WAF control panel
- Fastly control panel
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
From the Manage menu, select Site Settings.
Click Attack Thresholds.
In the 1 minute interval, 10 minute interval, and 1 hour interval fields, enter the thresholds that are appropriate for your site. To immediately block requests that are tagged with at least one attack signal, use the Immediate blocking setting.
Click Update.
Applying immediate blocking
You can use the Immediate blocking setting to immediately block all requests tagged with at least one attack signal. While Immediate blocking is enabled, your existing attack threshold settings are maintained so that you can easily revert to threshold-based blocking.
To enable immediate blocking:
- Next-Gen WAF control panel
- Fastly control panel
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the Manage menu, select Site Settings.
- Click Attack Thresholds.
- Click the Immediate blocking switch to the On position.
