Auto-Challenging¶

When enabled, the Auto-Challenging feature allows you to use the WEIGH action in your rules.

The idea behind this feature is to allow users to not just challenge a suspicious visitor based on a single rule, but rather to challenge them based on a weight that is being calculated by evaluating multiple rules against the request.

Instead of immediately issuing a challenge, rules with WEIGH actions will be evaluated in order and after the end of the evaluation a certain weight score will be calculated. That weight is then being compared against one or many thresholds that decide whether to issue a challenge or not, and if so, which kind of challenge and in which complexity.

WEIGH actions can either add or subtract points from the visitor's weight score.

Configuration¶

This feature has its own configuration section in the global configuration file:

  auto_challenge:
    # Master toggle for weight-based auto-challenge.
    enabled: false
    # Weight thresholds. The highest threshold that the accumulated weight
    # meets or exceeds is selected. Each threshold specifies the challenge
    # algorithm ("metarefresh", "preact", or "pow") and difficulty (0–64).
    thresholds:
      - name: light-check
        threshold: 10
        challenge: metarefresh
        difficulty: 1
      - name: moderate-check
        threshold: 25
        challenge: preact
        difficulty: 3
      - name: heavy-check
        threshold: 40
        challenge: pow
        difficulty: 6

Rules¶

Our GPR (General Purpose Rules) already include a number of rules that should be generically applicable to most WAF deployments. They aim to detect and challenge requests that are obviously made in an automated fashion with CLI tools, even if they try to spoof the user agent.