---
title: Configuring attack thresholds
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-attack-thresholds
---

Attack thresholds are a type of [threshold configuration](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations/) that caps the total number of [attack signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attacks) that can be seen from an IP address before the Next-Gen WAF flags that IP address. Once flagged, subsequent requests that are from the flagged IP address and that are tagged with an attack signal are blocked or logged depending on the [Agent mode](https://www.fastly.com/documentation/guides/next-gen-waf/about-the-agent-mode/) (also known as Protection mode) setting. This type of configuration targets attackers’ ability to use scripting and tooling.

For each attack threshold, you can [adjust the attack signals cap](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-attack-thresholds#adjusting-attack-thresholds) (otherwise known as the threshold). If you'd like a different threshold for an individual attack signal, you can [add a site alert](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-site-alerts) (also known as a signal threshold).

## How attack thresholds works

Attack thresholds monitor and flag IP addresses that exhibit repeat malicious behavior and then handle requests from the flagged IP addresses.

Flagging occurs when enough attacks are seen from a single IP address. More explicitly, we count the number of attack signals per IP address, and when this number reaches one of the [attack thresholds](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-attack-thresholds#adjusting-attack-thresholds), we flag and blocklist the IP address.

After an IP address has been flagged, subsequent requests that are from the flagged IP address and that are tagged with an attack signal are either blocked or logged depending on the [Agent mode](https://www.fastly.com/documentation/guides/next-gen-waf/about-the-agent-mode/) (Protection mode) setting. Specifically, requests with an attack signal are blocked when the setting is set to `Blocked` and logged when set to `Not Blocking` (also known as `Logging`).

By default, malicious traffic from the IP address is blocked or logged for 24 hours. If you have access to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net), you can [change the default time](https://www.fastly.com/documentation/signalsciences/api/#_corps__corpName__sites__siteName__patch) that blocklisted IP addresses are blocked by updating the `blockDurationSeconds` field via our API.

## Limitations and considerations

When working with attack thresholds, keep the following things in mind:

- Requests that have only been tagged with [anomaly and custom signals](https://www.fastly.com/documentation/guides/next-gen-waf/signals/about-signals/) are not counted towards flagging thresholds.
- When an IP address is flagged by any Next-Gen WAF customer, we record that IP address as a known potential bad actor and make its status known across our whole network by tagging it with the [SigSci Malicious IPs (`SigSci IP`)](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#anomalies-sigsci-ip) anomaly signal.
- You can override the attack thresholds for individual attack signals by [creating site alerts](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-site-alerts) (signal thresholds).

## Adjusting attack thresholds

The default attack thresholds are based on historical patterns that we've seen across all customers.

| Interval   | Threshold | Frequency of check |
| ---------- | --------- | ------------------ |
| 1 minute   | 50        | Every 20 seconds   |
| 10 minutes | 350       | Every 3 minutes    |
| 1 hour     | 1,800     | Every 20 minutes   |

To raise or lower the attack thresholds, complete the following steps:

### Next Gen Waf Control Panel

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the **Manage** menu, select **Site Settings**.

4. Click **Attack Thresholds**.

   ![change the attack thresholds](/img/ngwaf/adjust-attack-thresholds.png)

5. In the **1 minute interval**, **10 minute interval**, and **1 hour interval** fields, enter the thresholds that are appropriate for your site. To immediately block requests that are tagged with at least one attack signal, use the [**Immediate blocking**](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-attack-thresholds#applying-immediate-blocking) setting.

6. Click **Update**.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Workspaces**](https://manage.fastly.com/security/ngwaf/workspaces).

3.   Click the gear <span class="inline-icons"><img src="/img/icons/gear.png" alt="Gear icon" /></span> next to the workspace that you want to modify.

4. Click **Attack thresholds**.

   ![The Attack thresholds form with the 1 minute interval field set to 25, the 10 minute interval field set to 175, and the 1 hour interval field set to 900](/img/ngwaf/update-attack-thresholds.png)

5. In the **1 minute interval**, **10 minute interval**, and **1 hour interval** fields, enter the thresholds that are appropriate for your website. To immediately block requests that are tagged with at least one attack signal, use the [**Immediate blocking**](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/configuring-attack-thresholds#applying-immediate-blocking) setting.

6. Click **Update**.

## Applying immediate blocking

You can use the **Immediate blocking** setting to immediately block all requests tagged with at least one attack signal. While **Immediate blocking** is enabled, your existing attack threshold settings are maintained so that you can easily revert to threshold-based blocking.

To enable immediate blocking:

### Next Gen Waf Control Panel

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the **Manage** menu, select **Site Settings**.
4. Click **Attack Thresholds**.
5. Click the **Immediate blocking** switch to the **On** position.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Workspaces**](https://manage.fastly.com/security/ngwaf/workspaces).

3.   Click the gear <span class="inline-icons"><img src="/img/icons/gear.png" alt="Gear icon" /></span> next to the workspace that you want to modify.

4. Click **Attack thresholds**.

   ![The Immediate Blocking switch set to the On position](/img/ngwaf/apply-immediate-blocking.png)

5. Click the **Immediate Blocking** switch to the **On** position.

6. Click **Update**.

## Related content

- [About threshold configurations](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations)
- [Using an API with the Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf)