Documentation AEM AEM Tutorials AEM as a Cloud Service Tutorials

Protecting AEM websites using standard traffic filter rules

Last update: Mon Jul 21 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Applies to:
Experience Manager as a Cloud Service

Topics:
Security

CREATED FOR:

Intermediate
Admin
Developer

Learn how to protect AEM websites from Denial of Service (DoS), Distributed Denial of Service (DDoS), and bot abuse using Adobe-recommended standard traffic filter rules in AEM as a Cloud Service.

https://video.tv.adobe.com/v/3469396/?quality=12&learn=on

Transcript

Want to protect your AEM website from denial of service attacks and unwanted bot traffic? In this tutorial, you’ll learn how to use Adobe’s recommended standard traffic filter rules in AEM as a cloud service to keep your site secure at both the edge and the origin.

Adobe’s standard rules help you detect and manage suspicious traffic patterns, such as spikes in requests from a single IP or access from restricted countries. These rules are designed to monitor activity at two critical points. The CDN edge, where high-volume attacks often start. The origin, where direct requests can bypass caching and strain your backend.

To get started, add these rules to your project’s cdn.yaml file in the config folder. For example, you can log an alert if a client IP exceeds 500 requests per second at the edge, or 100 fetch requests per second at the origin. You can also block traffic from OFAC-restricted countries to meet compliance needs.

Once your rules are pushed to Git repository, deploy them using your config pipeline. This activates the rules in your AEM environment.

Testing is key. Use tools like Vegeta to simulate high request loads and verify that your rules are logging and alerting on suspicious activity. Without blocking legitimate users.

Review alerts in the AEM Action Center and analyze traffic patterns using the AMCS CDN logs and Yelq dashboard.

These insights help you fine-tune your thresholds and identify potential threats.

Start with monitoring and alerting, then adjust your rules based on real traffic. When you’re confident, you can move to blocking rules for even stronger protection. In summary, you’ve seen how standard traffic filter rules help defend your AEM website from threats at both the edge and the origin. In the next tutorial, we’ll show you how to add WAF rules for advanced security.

Learning objectives

Review the Adobe-recommended standard traffic filter rules.
Define, deploy, test, and analyze the results of the rules.
Understand when and how to refine the rules based on traffic patterns.
Learn how to use the AEM Actions Center to review alerts generated by the rules.

Implementation overview

The implementation steps include:

Adding the standard traffic filter rules to the AEM WKND project’s /config/cdn.yaml file.
Committing and pushing the changes to the Cloud Manager Git repository.
Deploying the changes to the AEM environment using the Cloud Manager config pipeline.
Testing the rules by simulating DoS attack using Vegeta
Analyzing the results using the AEMCS CDN logs and the ELK dashboard tool.

Prerequisites

Before proceeding, ensure you’ve completed the required groundwork as described in the How to set up traffic filter and WAF rules tutorial. Also, you have cloned and deployed the AEM WKND Sites Project to your AEM environment.

Key actions of the rules

Before we dive into the details of the standard traffic filter rules, let’s understand the key actions that these rules perform. The action attribute in each rule defines how the traffic filter should respond when the conditions are met. The actions include:

Log: The rules log the events for monitoring and analysis, allowing you to review traffic patterns and adjust thresholds as needed. It is specified by the type: log attribute.
Alert: The rules trigger alerts when the conditions are met, helping you to identify potential issues. It is specified by the alert: true attribute.
Block: The rules block the traffic when the conditions are met, preventing access to your AEM site. It is specified by the action: block attribute.

Review and define rules

Adobe-recommended standard traffic filter rules serve as a foundational layer for identifying potentially malicious traffic patterns by logging events like IP-based rate limits being exceeded, and block traffic from specific countries. These logs help teams validate thresholds and make informed decisions for ultimately transitioning to block-mode rules without disrupting legitimate traffic.

Let’s review the three standard traffic filter rules that you should add to the AEM WKND project’s /config/cdn.yaml file:

Prevent DoS at the Edge: This rule detects potential Denial of Service (DoS) attacks at the CDN edge by monitoring requests per second (RPS) from client IPs.
Prevent DoS at the Origin: This rule detects potential Denial of Service (DoS) attacks at the origin by monitoring fetch requests from client IPs.
Block OFAC Countries: This rule blocks access from specific countries that fall under OFAC (Office of Foreign Assets Control) restrictions.

1. Prevent DoS at the Edge

This rule sends an alert when it detects a potential Denial of Service (DoS) attack at the CDN. The criteria for triggering this rule is when a client exceeds 500 requests per second (averaged over 10 seconds) per CDN POP (Point of Presence) at the edge.

It counts all requests and groups them by client IP.

kind: "CDN"
version: "1"
metadata:
  envTypes: ["dev", "stage", "prod"]
data:
  trafficFilters:
    rules:
    - name: prevent-dos-attacks-edge
      when:
        reqProperty: tier
        equals: 'publish'
      rateLimit:
        limit: 500
        window: 10
        penalty: 300
        count: all
        groupBy:
          - reqProperty: clientIp
      action:
        type: log
        alert: true

The action attribute specifies that the rule should log the events and trigger an alert when the conditions are met. Thus, it helps you monitor potential DoS attacks without blocking legitimate traffic. However, your goal is to eventually transition this rule to block-mode once you have validated the traffic patterns and adjusted the thresholds.

2. Prevent DoS at the Origin

This rule sends an alert when it detects a potential Denial of Service (DoS) attack at the origin. The criteria for triggering this rule is when a client exceeds 100 requests per second (averaged over 10 seconds) per client IP at the origin.

It counts fetches (cache-bypassing requests) and groups them by client IP.

...
    - name: prevent-dos-attacks-origin
      when:
        reqProperty: tier
        equals: 'publish'
      rateLimit:
        limit: 100
        window: 10
        penalty: 300
        count: fetches
        groupBy:
          - reqProperty: clientIp
      action:
        type: log
        alert: true

3. Block OFAC Countries

This rule blocks access from specific countries that fall under OFAC restrictions.
You can review and modify the country list as needed.

...
    - name: block-ofac-countries
      when:
        allOf:
          - { reqProperty: tier, in: ["author", "publish"] }
          - reqProperty: clientCountry
            in:
              - SY
              - BY
              - MM
              - KP
              - IQ
              - CD
              - SD
              - IR
              - LR
              - ZW
              - CU
              - CI
      action: block

The action attribute specifies that the rule should block access from the specified countries. This helps you prevent access to your AEM site from regions that may pose security risks.

The complete cdn.yaml file with the above rules looks like this:

WKND CDN YAML Rules

Deploy rules

To deploy the above rules, follow these steps:

Commit and push the changes to the Cloud Manager Git repository.
Deploy the changes to the AEM environment using the Cloud Manager config pipeline created earlier.

Test rules

To verify the effectiveness of the standard traffic filter rules, at both the CDN Edge and the Origin, simulate high request traffic using Vegeta, a versatile HTTP load testing tool.

Test DoS Rule at the Edge (500 rps limit). The following command simulates 200 requests per second for 15 seconds, which exceeds the Edge threshold (500 rps).

code language-shell
`$echo "GET https://publish-p63947-e1249010.adobeaemcloud.com/us/en.html" \| vegeta attack -rate=200 -duration=15s \| vegeta report`

Vegeta DoS Attack Edge

note important
IMPORTANT
Notice the 100% Success and 200 Status codes in the above report. As rules are set to `log` and `alert`, the requests are not blocked but they are logged for monitoring and analysis and alerting purposes.

Test DoS Rule at the Origin (100 rps limit). The following command simulates 110 fetch requests per second for 1 second, which exceeds the Origin threshold (100 rps). To simulate cache-bypassing requests, the targets.txt file is created with unique query parameters to ensure that each request is treated as a fetch request.

code language-shell

code language-shell
`# Create targets.txt with unique query parameters $for i in {1..110}; do echo "GET https://publish-p63947-e1249010.adobeaemcloud.com/us/en.html?ts=$(date +%s)$i" done > targets.txt # Use the targets.txt file to simulate fetch requests $vegeta attack -rate=110 -duration=1s -targets=targets.txt \| vegeta report`

# Create targets.txt with unique query parameters
$for i in {1..110}; do
  echo "GET https://publish-p63947-e1249010.adobeaemcloud.com/us/en.html?ts=$(date +%s)$i"
done > targets.txt

# Use the targets.txt file to simulate fetch requests
$vegeta attack -rate=110 -duration=1s -targets=targets.txt | vegeta report

Vegeta DoS Attack Origin

note important
IMPORTANT
Notice the 100% Success and 200 Status codes in the above report. As rules are set to `log` and `alert`, the requests are not blocked but they are logged for monitoring and analysis and alerting purposes.

For simplicity purposes, the OFAC rule is not tested here.

Review alerts

Alerts are generated when the traffic filter rules are triggered. You can review these alerts in the AEM Actions Center.

WKND AEM Actions Center

Analyze results

To analyze the results of the traffic filter rules, you can use the AEMCS CDN logs and the ELK dashboard tool. Follow the instructions from the CDN logs ingestion set-up section to ingest the CDN logs into the ELK stack.

In the following screenshot, you can see the AEM Dev environment’s CDN logs ingested into the ELK stack.

WKND CDN Logs ELK

Inside the ELK application, the CDN Traffic Dashboard should show the spike at the Edge and Origin during the simulated DoS attacks.

The two panels, Edge RPS per Client IP and POP and Origin RPS per Client IP and POP, display the requests per second (RPS) at the edge and origin respectively, grouped by client IP and Point of Presence (POP).

WKND CDN Edge Traffic Dashboard

You can also use other panels in the CDN Traffic Dashboard to analyze the traffic patterns, such as Top Client IPs, Top Countries, and Top User Agents. These panels help you identify potential threats and adjust your traffic filter rules accordingly.

Splunk integration

Customers who have Splunk Log forwarding enabled can create new dashboards to analyze the traffic patterns.

To create dashboards in Splunk, follow Splunk dashboards for AEMCS CDN Log Analysis steps.

The following screenshot shows an example of a Splunk dashboard that displays the maximum origin and edge requests per IP, which can help you identify potential DoS attacks.

Splunk dashboard - Max origin and edge requests per IP

When and how to refine rules

Your goal is to avoid blocking legitimate traffic while still protecting your AEM site from potential threats. The standard traffic filter rules are designed to alert and log (and eventually block when the mode is switched) threats without blocking legitimate traffic.

To refine the rules, consider the following steps:

Monitor traffic patterns: Use the CDN logs and ELK dashboard to monitor traffic patterns and identify any anomalies or spikes in traffic.

Adjust thresholds: Based on the traffic patterns, adjust the thresholds (increase or decrease the rate limits) in the rules to better suit your specific requirements. For example, if you notice that legitimate traffic triggered the alerts, you can increase the rate limits or adjust the groupings.
The following table provides guidance on how to choose the threshold values:

table 0-row-2 1-row-2 2-row-2 1-align-left 2-align-left 4-align-left 5-align-left 7-align-left 8-align-left
Variation	Value
Origin	Take the highest value of the Max Origin Requests per IP/POP under normal traffic conditions (that is, not the rate at the time of a DDoS) and increase it by a multiple
Edge	Take the highest value of the Max Edge Requests per IP/POP under normal traffic conditions (that is, not the rate at the time of a DDoS) and increase it by a multiple

Also see the Choosing threshold values section for more details.

Move to blocking rules: Once you have validated the traffic patterns and adjusted the thresholds, you should transition the rules to block-mode.

Summary

In this tutorial, you learned how to protect AEM websites from Denial of Service (DoS), Distributed Denial of Service (DDoS), and bot abuse using Adobe-recommended standard traffic filter rules in AEM as a Cloud Service.

Recommended WAF rules

Learn how to implement Adobe recommended WAF rules to protect your AEM websites from sophisticated threats that use advanced techniques to bypass traditional security measures.

Protecting AEM websites using WAF traffic filter rules

Learn how to protect AEM websites from sophisticated threats including DoS, DDoS, and bot abuse using Adobe-recommended Web Application Firewall (WAF) traffic filter rules in AEM as a Cloud Service.

Activate WAF

Use cases - beyond standard rules

For more advanced scenarios, you can explore the following use cases that demonstrate how to implement custom traffic filter rules based on specific business requirements: