search close

Testing Blocking Mode

access_time Updated Sep 26, 2021

Signal Sciences takes a different approach to blocking compared to other products — rather than blocking individual requests that match a particular signature, we look for spikes in malicious traffic from a particular IP (aggregated across all of our agents), and flag that IP if it exceeds specific thresholds in a 1, 10, or 60 minute window. Once an IP is flagged, we block all malicious traffic from that IP for the next 24 hours. This means that requests that don’t contain an attack will be allowed, preventing Signal Sciences from breaking normal traffic.

Note, if you completed Scenario 3 from the Testing With Attack Tooling page, you have already verified blocking malicious traffic using an attack tool. To manually verify blocking, complete the two sections below.

Verifying your IP was flagged

After you’ve run your scan:

  1. Verify that your IP is listed under “Events” on the Overview page.
  2. Verify that you received an email indicating that your IP was flagged.

From the “Events” module on the Overview page, click on the flagged IP to view additional information. You can also click through to the event from the event email.

From the event page you can view the requests that led to the decision being made as well as any subsequent malicious requests. For information on using the search page see Investigating an attack.

Manually Verifying blocking

  1. If your agent mode is set to “not blocking” (the default), you can verify that subsequent malicious requests are allowed by visiting your site with a malicious payload (e.g., https://www.example.com/?q=<script>alert('xss')</script>).
  2. To test “blocking” mode, click Not blocking in the site navigation and then Manage. On the next page, switch the agent mode to Blocking.
  3. After the configuration change has propagated to your agents (it can take up to a minute), visit the same URL. The server should respond with a 406 response code and the request will be blocked.
  4. Visit your site normally (e.g., https://www.example.com/) and test basic functionality (navigation, search, etc.). Even though the IP is flagged, you should see that normal site traffic is unaffected.