Possible attack - many requests blocked

In case the EVENT_WR-Y-attack-600 warning (Possible attack - {NUM} blocked requests within {NUM} seconds) appears frequently, this can have the following causes:

  • An attack against applications – are all requests coming from the same IP address?
  • Missing exception configuration for parameters.

In this case, we do not recommend event adjustment, which could only suppress the symptoms instead of addressing the causes.

Research and countermeasures

Research the cause(s) before taking any countermeasures.

  • Analyze what causes the blocked requests:
  • Are the blocked requests in fact attacks or inadvertently blocked legitimate requests?

Example for an inadvertently blocked request:
A webmail application can have SQL statements in the subject or body of the message - those parameters should be defined as exceptions.