HTTP Keyword Checking is a process by which ADS controls HTTP traffic through the ADS device. In addition, ADS takes a specific action (Accept, Drop, Disconnect, Add to blacklist, Add to whitelist, or Limit rate) as configured on passing packets whose source IP address and specific fields match the HTTP Keyword Checking rule. HTTP Keyword Checking blocks traffic from illegitimate users but does not indiscriminately block all packets from a source IP address. This reduces the possibility of blocking legitimate IP addresses.
You can configure up to 32 HTTP Keyword Checking rules, which can take effect only after being referenced in a group protection policy or default protection policy. When a packet reaches ADS, the system matches the packet against HTTP Keyword Checking rules in sequence. Once the packet hits a rule, the system takes the action specified in the rule and stops matching the packet against other rules.
An HTTP Keyword Checking rule can be added, edited, and deleted. This post describes only how to add such a rule, as methods for editing and deleting HTTP Keyword Checking rules are similar to the steps below.
1. Define HTTP keywords
Configuration procedure: Choose Policy > Access Control > HTTP Keyword Checking and click Add.
For Keyword, you can select multiple check boxes. In this case, the logical relationship is “and”, indicating that the rule is deemed to be hit only when all specified keywords are hit at the same time. The action is usually Drop or Drop and add to blacklist. For the latter, you need to choose Policy > Access Control > Blacklist and enable the blacklist function.
Currently, ADS can check keywords by Method, Cookie, Host, Referer, Request Url, Version, User Agent, and x-forwarded-for.
Let’s look at several examples:
Example 1: Cookie is set to songshaowei. If the actual cookie is songshaoweicookietets, the keyword is deemed to be hit.
Example 2: Referer is set to http://www.nsfocusglobal.com. If the actual referer is http://www.nsfocusglobal.com, the keyword is deemed to be hit.
Example 3: Referer is set to nsfocus. If the actual referer is http://www.nsfocusglobal.com, the keyword is deemed to be hit.
Example 4: Referer is set to http://www.nsfocus.com. If the actual referer is http://www.nsfocus.com/nsfocus, the keyword is deemed to be hit.
2. Configure HTTP Keyword Checking Policy
When selecting the HTTP Keyword Checking policy for a protection group, you should select Yes for enable and add the previously defined HTTP keyword and HTTP Keyword Checking rule. You can select multiple rules, and the logical relationship between them is “or”. ADS checks packets against these rules in sequence. If one rule is hit, ADS takes the action specified in that rule. The HTTP Keyword Checking policy, which is as good as ACL, triggers protection as long as it is matched, regardless of whether any threshold (pps) is reached.
You can view details under Logs > Attack Details.
Note: ADS only randomly logs at most three alerts on traffic being dropped in every 30 seconds. Therefore, it is possible that ADS drops packets, which, however, cannot be found in attack details.
