Web Security Manager can block hostile IP addresses at the network level. Addresses can be learned and automatically blocked in four different ways.
DoS Mitigation
If DoS Mitigation is enabled source IPs exceeding configurable request limits are automatically blocked for a configurable number of seconds (i.e. 86400 - 24 hours).
Attack source auto blocking
If Attack source auto blocking is enabled source IPs are tracked across all website deny logs. If a number requests above a certain risk level are recorded within a certain time span the source IP is automatically blocked for a configurable number of seconds.
Immediate source blocking.
Each website can be configured to immediately block a source IP if a log event above a certain risk level is recorded.
Manual entry
IP addresses can be added manually to the list of blocked source IPs.
Only traffic to inbound interfaces is blocked. Management interfaces are not blocked unless the management role has been bound to an interface which is also responding to inbound requests - typically the interface facing the Internet.
Blocking a source IP does not keep a determined attacker from accessing your website. Positive filtering at the application level, which is the core functionality of Web Security Manager is much better at stopping unauthorized intrusion attempts. It does however make it more difficult, especially if immediate source blocking is enabled as this will force the attacker to change IP every time he triggers an attack signature.
The table shows which source IPs are currently blocked.
| Source IP |
Source IP |
| Violation |
The reason for / type of blocking. Can be:
|
| Attacks |
Total number of attacks recorded from country/IP. Click row to zoom in on attacks. |
| Added |
Date and time the source IP was added to the list. |
| Blocked packets |
Number of blocked packets from the source IP |
| Blocked bytes |
Number of blocked bytes from the source IP |
| Del Button |
Remove IP from the list. |
The table shows IP addresses which are allowed to bypass network protection like blacklisting and DoS mitigation controls.
| Trusted Client Source IP |
The IP address which will bypass network controls. |
| In packets |
Number of incoming packets from the source IP |
| In bytes |
Number of incoming bytes from the source IP |
| Out packets |
Number of outgoing packets to the source IP |
| Out bytes |
Number of outgoing bytes to the source IP |
The network blocking bypass white list is compiled of
the website trusted client lists,
the website trusted proxies,
the default gateway.
IP addresses are added in ->+->+Trusted clients and network blocking bypass for trusted clients has to be checked in ->+->+IP pass through. In addition network blocking bypass has to be enabled in general (below).
Trusted proxies are added in ->+->+Trusted Proxy.
This is enabled by default.
Note that this feature is only available on WAF licenses.
| Allow website Trusted Client IPs to bypass network protection
Check box |
Enable / disable network blocking bypass for trusted clients. Default: |
| Allow trusted proxy IPs to bypass network protection
Check box |
Enable / disable network blocking bypass for trusted proxies. Default: |
| Allow gateway IP to bypass network protection
Check box |
Enable / disable network blocking bypass for the default gateway. Note that this will not allow requests passing through the default gateway but only requests with the default gateway as source. Default: |
When enabled the DoS mitigation system tracks source IP connections to inbound interfaces. If an IP exceeds the configurable limits it is added to the list of blocked IPs and further connection attempts are silently dropped at the network level.
| Enable DoS mitigation
Check box |
Enable / disable DoS mitigation. Default: |
| Max src conn
Input field |
Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make.
|
| Max src conn rate
Two input fields: number and seconds. |
Limit the rate of new connections to a certain amount per time interval.
|
| Blacklist IPs for |
How long time IPs should be blacklisted in seconds.
IPs are automatically removed from the list when the blacklist period has ended. |
Attack source auto blocking tracks denied source IPs at the application level and blocks an IP at the network level if they reach configurable limits.
| Enable Attack Source Auto Blocking
Check box |
Enable / disable Enable Attack Source Auto Blocking. Default: |
| Attack threshold
Input field |
Sets the maximum number of denied requests across all websites within a certain time frame (below). Only websites with source tracking enabled contribute to the attack threshold number and for each website a risk threshold is configured above which denied requests are added to this global counter.
|
| Time threshold
Input field |
Sets the time frame within
|
| Blacklist IPs for |
How long time IPs trigging the Attack source Auto blocking should be blacklisted in seconds.
IPs are automatically removed from the list when the blacklist period has ended. |