Rules
Using rules, you can define conditions for selecting HTTP request, specify actions for requests that match these conditions, and prioritize rules.
The rule priority is set as a numeric parameter from 1 to 1000000.
Note
The smaller the value, the higher is the rule priority. The priorities for preconfigured rules are as follows:
- Basic default rule:
1000000. - Smart Protection rule providing full protection:
999900.
You can also log information about the traffic matching your conditions, without applying any action to it.
Yandex Smart Web Security provides the following rule types:
You can learn more in Managing rules.
Basic rules
Basic rule is a rule that allows, denies, or directs traffic to Yandex SmartCaptcha based on specified conditions. It is used for simple traffic filtering based on specific parameters.
Each security profile includes a basic default rule with the lowest priority (1000000) that allows or denies all traffic.
Note
If the Deny action is set for the default basic rule and the requests are sent to SmartCaptcha for verification, add a basic rule that allows requests to the CAPTCHA. The address of the allowed request matches the regular expression: /tmgrdfrend.*. Set the rule to have a higher priority than rules with a CAPTCHA challenge.
Smart Protection rules
Smart Protection is a rule that sends traffic, based on specified conditions, for automatic analysis using machine learning and behavioral analysis algorithms. This rule ensures L7 DDoS protection. If there is no such rule, or the rule is in Logging only mode, the protection does not apply and traffic reaches the protected resource. Depending on the selected action, suspicious requests are sent to SmartCaptcha for additional verification or get blocked.
WAF + Smart Protection rules
Web Application Firewall rules engage a WAF profile to analyze traffic for compliance with the WAF basic rule sets. These rules also enable Smart Protection against L7 DDoS. Depending on the selected action, suspicious requests are sent to SmartCaptcha for additional verification or get blocked.
You can use the following SmartCaptcha CAPTCHA options to verify requests compliant with the Smart Protection and Web Application Firewall rules:
-
Default: Managed by Yandex Cloud. This CAPTCHA has the following settings:- Main challenge: Checkbox.
- Additional challenge: Silhouettes.
- Additional challenge difficulty: Easy.
- Appearance: Standard.
The
DefaultCAPTCHA usage fee is included in the cost of Smart Web Security. -
Custom CAPTCHA: You can customize CAPTCHA's difficulty, types of main and additional challenges, and appearance.Note
To use a custom CAPTCHA, select Disable domain verification in its settings.
The custom CAPTCHA usage fee is charged according to the SmartCaptcha pricing policy.
Advanced Rate Limiter rules
An Advanced Rate Limiter rule calculates the number of requests received over a certain period of time. Requests are counted after they are allowed by the Smart Protection and Web Application Firewall rules, meaning that ARL rules have their own priority independent of other rules.
ARL rules allow you to set limits either for the whole traffic or some of its segments.
Unlike Smart Protection and WAF rules, ARL rules are configured in an ARL profile.
Rule actions
Actions for basic rules:
- Deny traffic whose parameters match the conditions.
- Allow traffic whose parameters match the conditions.
Actions for Smart Protection and Web Application Firewall rules:
-
Full Protection: Traffic is checked by ML models and behavioral analysis algorithms. Redirect suspicious requests to SmartCaptcha.
Warning
To ensure your application works correctly, apply API protection to HTTP requests with dynamic content loading.
-
Use API protection for endpoints that:
- Belong to mobile apps.
- Receive automated calls.
- Process requests with dynamic content loading, such as
ajax,xhr,iframe, etc.
Traffic is checked by ML models and behavioral analysis algorithms. Requests are not sent to SmartCaptcha, which allows making legitimate API calls to the protected resources. Special DDoS protection policies block only overt attack attempts. If, in full protection mode, a request was redirected to a CAPTCHA challenge, the API protection mode may let it through to the protected resource.
Actions for Advanced Rate Limiter rules:
-
Block requests in excess of the limit. Requests above the specified limit over a period of time will be blocked until the limit period expires. The requesting client will get error
429. -
Temporarily block all requests. Requests above the specified limit over a period of time will be blocked for a fixed period of time, rather than until the end of the limit period. The requesting client will get error
429. You can block requests for a period from 1 second to 24 hours. -
Send requests in excess of the limit to captcha. Requests above the specified limit over a period of time will be sent to SmartCaptcha.
Requests exceeding the limit will be sent to CAPTCHA. You can configure CAPTCHA in the security profile to which the ARL profile is connected. This helps differentiate legitimate users from bots, ensuring that requests are not fully blocked and the application remains available.
Warning
Do not use CAPTCHA for HTTP requests with dynamic content loading (
ajax,xhr,iframe) and requests to mobile applications.
To standardize client response pages for triggered rules, you can create your own response templates.
The requests that were allowed by all rules and let through to the protected resource are called legitimate.
Overview of how rules work
-
All rules within a profile trigger simultaneously, and a single request may match several rules. The highest-priority rule determines how to handle the request.
-
Assign higher priority to:
- Rules that allow requests.
- Rules with filtering conditions based on specific parameters.
Otherwise, general rules with broader conditions may apply.
-
If you are using a WAF rule for a traffic slice, a separate Smart Protection rule against DDoS attacks is not required for that same slice, as it is already included in the WAF rule. Therefore, WAF rules have full protection and API protection modes.
-
In API protection mode, requests are not sent to SmartCaptcha. Use this mode for automated traffic, mobile applications, and requests with dynamic content loading, e.g.,
ajax,xhr, andiframe. -
ARL profile rules apply after the security profile and may block some legitimate requests. Therefore, if you have configured allowing rules in the security profile, duplicate them in the ARL profile.
-
In
Logging onlymode, traffic handling is not affected by the rules; instead of them, the next lower priority rule in regular operation mode applies.
Security profile
Security profile rules apply to traffic based on priority: the lower the number, the higher the priority.
Recommended order of priority
- Allowing rule for captcha service routes.
- Allowing rules with traffic conditions.
- Blocking rules with traffic conditions.
- Smart Protection and WAF + Smart Protection rules in API protection mode with traffic conditions for endpoints where you cannot show captcha.
- Smart Protection and WAF + Smart Protection rules in Full protection mode with traffic conditions.
- Smart Protection and WAF + Smart Protection rules in Full protection mode for the whole traffic.
Rule configuration example
| Priority | Rule name | Action | Rule description |
|---|---|---|---|
| 8000 | allow-captcha | Allow | Rule to allow captcha service routes |
| 9000 | allow-by-list | Allow | Basic for white IP addresses |
| 9100 | block-by-list | Deny | Basic for black IP addresses |
| 9200 | block-by-geo | Deny | Basic by regions |
| 900000 | api-protection | API protection | Smart Protection for the public API |
| 999900 | sp-rule-1 | Full protection | Smart Protection from a ready-made template |
| 1000000 | Allow | Basic default |
The Allow action is set for the basic default rule, while other rules are in the Logging only (dry run) mode. When switching rules to regular operation mode, set the Deny action for the basic default rule.
ARL profile
ARL profile rules are applied to traffic that has already been validated by security profile rules. The ARL profile has its own priority system, independent of how the security profile rules are prioritized. The lower the number, the higher the ARL rule priority. The sequence in which the rules will apply is provided in the table below.
| Priority | Rule name | Action | Rule description |
|---|---|---|---|
| 1000 | arl-rule-1 | Block requests in excess of the limit | Limits general load on resource |
| 2000 | arl-rule-2 | Temporarily block all requests | Protects against bots, parsers, brute-force attacks, spam |
| 3000 | arl-rule-3 | Send requests in excess of limit to captcha | Limits requests to the API |
You can configure ARL rules with any priority values. In Logging only mode, ARL rules do not block requests but log over-limit events.