Malicious IP Blocking

Malicious IP blocking allows UWAF to automatically impose penalties on the IP source of the attack request, i.e., add this IP to the blacklist of the domain name for blocking, after counting multiple attacks from a single IP in a certain period of time when the current domain name is attacked. If there is a third-party proxy in front, it may cause a false blocking operation without getting the accurate source IP.

Malicious IP blocking is subject to the control of the blacklist and whitelist status, only effective when the blacklist and whitelist status is turned on.

For the priority of various rules, see Rule priority.

!> Note:
The malicious IP function relies on the Domain Blacklist rules. The principle is that UWAF automatically generates the blacklist rules after counting the attack requests of a certain IP. The rule may be delayed in taking effect, and the actual effective time shall prevail. You can view the IPs blocked by the malicious IP blocking rule in 【Function Settings】->【IP Management】->【Blacklist】. The method of adding IPs to the blacklist that trigger the malicious IP blocking rule and are added to the blacklist is “Auto Intercept Rule”.

Add Rule

You can add a rule according to the attack type and attack frequency. When a rule with the attack type of “All” is added, other attack type blocking rules cannot be added; when a rule with a specific attack type is added, a blocking rule with the attack type of “All” cannot be added.

Rule Parameters Description

Definition of Attack Request: Request triggering the default UWAF rule and custom UWAF rule (excluding user-defined allow rules) and request triggering the CC rule (excluding subsequent intercept requests).