Skip to Content
Operation GuideProtection SettingCC Rule

CC Rules

CC rules can be used to throttle requests to prevent a large number of requests from going back to the origin server, causing network congestion or a surge in CPU usage at the origin server.

For the priority of various rules, please see Rule Priority.

CC Protection Mode and Status

CC protection mode includes normal mode and emergency mode:

  • Normal: Only custom rules apply (if there are no custom rules, then the default rules apply).
  • Emergency: Not only will custom rules apply, but UWAF will also intercept requests with abnormal frequencies based on data analysis, artificial intelligence recognition, etc. However, there may be false positives. In emergency mode, UWAF will automatically intercept attacks and add cookie parameters to verify requests. If there are 301 redirects on the website, it is not recommended to turn on emergency mode.

The default status of CC is enabled. At this time, if the user does not configure CC rules, a default rule will be in effect. The default rule is: if the number of requests from a single IP exceeds 500 in 1 minute, intercept the request from this IP for 10 minutes. This default rule is forced to be opened when the user has not added a custom CC rule. If the user adds any custom CC rule, the default rule will not apply. If the CC status is closed, UWAF will not provide CC protection capabilities, please choose carefully.

For all CC rules, the CC protection engine will count any request, but will not intercept the access to commonly static file types once the rule is triggered. Specific file types include ‘css, ico, png, jpg, js, gif’. If you need to enable the interception of such files, please consult technical support.

Custom CC Rules List

The CC rule list shows custom rules added by the user. After adding custom rules for a file or subdirectory, for safety concerns, we recommend you to add another “catch-all” rule, i.e., set a rule that a single IP accesses the root directory (/) more than 1000 times in a period (like 60 seconds). This can effectively cope with the situation of CC attacks by attackers changing their attack paths.

Add Rules

Rule Parameter Description

ParameterDescription
Rule NameThe name of the custom rule, can be any Chinese or English character
Limit FrequencyThe maximum number of visits by a single IP within the statistical period
Limit FeatureThe request path is a required item, and its restriction logic is exact match (equals) or directory match (contains). Other restriction fields refer to Match Condition Description. The logic between multiple limit features is ‘and’.
Limit ModeThe restrictive measure for IPs that exceed the limit frequency and meet the limit feature, including the following ways:
● Block this IP: 4-layer block; if there is a proxy such as CDN in front, it will block the chained IP address, i.e., the IP of the CDN proxy node, leading to extensive inability to access normally, please use with caution, the default restriction time is 2 hours, this time cannot be changed
● Intercept this kind of request: 7-layer block, UWAF will refuse the request of the blocked IP and record the HTTP 444 status code; if there are proxies like CDN in front, you need to configure the [Real IP Field Setting] correctly, if the CDN proxy does not pass this field correctly, there may be wrongful blocking
● Enable captcha: redirect to the captcha page, if the user verifies successfully, the IP will be whitelisted for 10 minutes (CC rules are not judged, other rule judgments are not affected)
● Limit request frequency: limit the request frequency according to the limit frequency of the rule, that is, it will judge whether the number of requests in the statistical period before the request arrives exceeds the access limit, if it does not exceed the limit, if it exceeds it will respond with HTTP 429 status code. This method of restriction has no effective restriction time, does not record attack logs, and allows 429 status codes to filter access logs to query IPs that trigger rules
● Only log: just record a CC attack log, do not take substantial restrictive measures
Limit TimeThe effective time of the rule, it will re-judge the CC rule for IP after the time has passed.

CC Block IP

Here you can see the list of IPs that have triggered the CC rule, including banned IPs or IPs that trigger captcha. Refreshing the CC blacklist will cancel the ban or captcha verification for all IPs, and the operation column Unblock this IP can cancel the ban or captcha verification for a single IP. The refresh blacklist or unblock IP operation may be delayed, and the actual effective time will prevail.

CC Rule Examples

  1. If a business domain name has a stable access situation, a single IP will not exceed 100 times in 1 minute, and wants to use UWAF to resist potential CC attacks.
    Rule example:

    • Rule Name: Anti CC Rule
    • Limit Frequency: Single IP access 100 times in 60 seconds
    • Limit Feature: Request path directory matches / (directory match and root directory means the whole site)
    • Limit Method: Intercept this kind of request
    • Limit Time: 1440 minutes

    Situation: When a malicious client sends 100 requests in 30 seconds, this CC rule will be triggered, and this malicious client’s source IP address will be banned for 24 hours. After that, all requests from this IP address to this business domain name UWAF will respond with HTTP 444 status code.

  2. If an online mall domain name is going to hold a flash sale event, a large number of customers are expected to visit during the scheduled period, resulting in a sudden increase in traffic, and you want to use UWAF for traffic throttling.

  • Rule example (1):

    • Rule Name: Throttle Rule 1
    • Limit Frequency: Single IP access 20 times in 60 seconds
    • Limit Feature: Request path directory matches Path A (the path where the flash sale product is located)
    • Limit Method: Enable Captcha
    • Limit Time: 3 minutes

  • Rule example (2):

    • Rule Name: Throttle Rule 2
    • Limit Frequency: Single IP access 20 times in 60 seconds
    • Limit Feature: Request path directory matches Path A (the path where the flash sale product is located)
    • Limit Method: Limit request rate
    • Limit Time: 120 minutes

    Situation(1): For rule example(1), when a client sends 20 requests in 30 seconds, this CC rule will be triggered, and the source IP address of this client will make the 21st request, and UWAF will redirect this request to the captcha page. If the verification is passed, there will be no CC rule judgment for this IP address request within the next 10 minutes; if the verification is not passed, UWAF will keep redirecting requests from this IP address to this online mall domain name to the captcha page during the limit time. Situation(2): For rule example(2), if a client sends 20 requests in 30 seconds, this CC rule will be triggered. When the source IP address of this client makes the 21st request, UWAF found that this IP address has already sent 20 requests in this 60 seconds, so it responds to this request with HTTP 429 status code. If UWAF does not receive a request from this IP address within 60 seconds, the client can continue to request this online mall, but the number of requests within 60 seconds cannot exceed 20.

UWAF RuleMalicious IP Blocking