Reblaze Signatures
Last updated
Last updated
The Reblaze system blocks traffic if it matches configured WAF signatures, exceeds triggering thresholds, matches ACL rules, or violates RFC specifications. When a blocking event occurs, Reblaze reports it according to reference IDs.
The reference IDs are listed below, categorized into groups according to their description. In some cases, external links are included with more details on the specific type of attack being described.
OSCI attacks are aimed at the operating system. The attacker seeks to manipulate the operation of the system, or to take control completely. For example, an attacker might attempt to get the content of OS files such as /etc/shadow. An OCSI attack can be included in the request headers, arguments, or cookies. More details on this type of attack can be found on the .
Reblaze reference ID 400000-499999
RFI attacks target applications that allow scripts to be included in files. These attacks are typically used for planting backdoors.
Reblaze reference ID 300000-399999
An LFI attack is similar to RFI, but it includes one or more local files instead of remote links. The attacker seeks to upload a file to the server. .
Reblaze reference ID 300000-399999
Threat actors use SQL injection to attack databases by executing SQL commands. SQLi is a common attack, with many possible ways for attackers to exploit vulnerabilities.
Reblaze reference ID 1000000-1999999
Reblaze reference ID 2000000-2999999
Many attacks take advantage of vulnerabilities in the OS or in the targeted application, without falling into one of the more prominent categories. Reblaze classifies them into this “generic” category.
Reblaze reference ID 3000000-3999999
Reblaze reference ID 3000000-3999999
This signature refers to the recognition of user-agent headers of known attack tools and applications: for example, the “Grabber” vulnerability scanner.
Reblaze reference ID 3000000-3999999
Reblaze blocks requests when a capacity threshold is exceeded: for example, the number of requests per second from a single IP. Usually, these thresholds reflect Reblaze’s DDoS protection. However, in some cases, some of this may be coming from the upstream server rather than Reblaze; in this situation, a “by origin” is added to the event description in the logs.
Reblaze reference ID: None. This block results in HTTP error 503.
Reblaze blocks headers for any site not found in its list of configured sites: for example, a proxy request. (This includes IP addresses as well.) Only FQDN (fully qualified domain names) are allowed.
Reblaze reference ID: None
Reblaze reference ID: 8888001
This refers to requests that are blocked because they fail Reblaze’s bot/human detection challenges.
This refers to traffic that is blocked by the application. It does not include categories such as HTTP errors 400, 408 or 500.
A blocking event that resulted from an ACL containing an IP or subnet.
A blocking event that resulted from an ACL containing an IP or subnet that matched geographical criteria.
A blocking event that resulted from an ACL containing an IP or subnet that is part of an anonymous proxy provider.
A blocking event that resulted from an ACL containing an IP or subnet found on a list of TOR gateways.
A blocking event that resulted from an ACL containing an IP or subnet known to be used by a VPN provider.
A blocking event that resulted from an ACL containing an IP or subnet from a specified AS number.
A blocking event that resulted from an ACL containing an IP or subnet known to be used by a cloud provider.
A request was rejected because it contained an HTTP method that the WAF was configured to reject. For example, a common configuration is to accept HEAD, GET, and POST requests, while rejecting all others.
A violator blocked by the ban list (via a Dynamic Rule).
When a request’s payload exceeds the configured threshold, the WAF signatures are bypassed. This mechanism ensures that the WAF will not loop forever and consume 100% of the CPU.
This blocking event occurs when rate limits are triggered. The text is taken from the name of the rule that triggered the event.
This message notes that the IP is in the rate limit whitelist ACL.
This message notes that this organization’s AS number is in the rate limit whitelist ACL.
XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted sites and applications. .
This signature refers to a violation of HTTP protocol RFC-2616. For example, ; a request that does not include one violates the RFC.
This attack is sometimes referred to as Direct Dynamic Code Evaluation. It exploits an application that does not properly validate user inputs. More information can be found at .
A common penetration technique is to encode a hostile request multiple times (for example, URL encode and base64), in an attempt to evade detection and filtering by the WAF or other security measures. .