Dynamic Route for CDN (DCDN) is integrated with Web Application Firewall (WAF) to provide security services on DCDN points of presence (POPs). WAF identifies and filters out malicious requests, and forwards only letigimate requests to origin servers. WAF protects web servers against intrusions, ensures the security of business-critical data, and prevents performance degradation caused by attacks.

Important
  • WAF is not compatible with WebSocket. You cannot enable both.
  • Although WAF protects your servers against intrusions, WAF cannot prevent traffic fees that result from fraudulent traffic. Each inbound request is checked by the WAF engine. Therefore, the request is billed regardless of whether it is blocked or monitored.

    If your domain names are susceptible to fraudulent traffic, we recommend that you do not use DCDN. You can also use the Cloud service monitoring of CloudMonitor to configure threshold alerts for bandwidth and QPS. If traffic fluctuates abnormally, stop using DCDN in a timely manner.

Prerequisites

DCDN is upgraded to secure DCDN. For more information about the upgrade, see Enable secure DCDN.

Features

DCDN can integrate with WAF to protect resources on DCDN POPs. For more information about the features of WAF, see What is WAF?

The following table lists the features supported by WAF Business Edition.
FeatureBusiness Edition
Scan protectionSupported
Account securitySupported
HTTP flood protectionSupported
IP blacklistSupported
Rate LimitSupported
Bot threat intelligence rulesSupported
JavaScript validationSupported
Crawler whitelistSupported
Web application protectionSupported
Zero-day attack protectionSupported
Block and warning modesSupported
Decoding and analytics of request data in specified formatsSupported
Custom rule groupsSupported
HTTP access control list (ACL) policiesSupported
Log ServiceSupported with a storage capacity up to 3 TB

Configure WAF for one domain name

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
  4. Click Security Settings and select the WAF tab.
  5. Turn on WAF - Chinese Mainland or WAF - Outside Mainland China.
  6. Configure protection.
    1. Click Modify Configurations.
    2. Follow the on-screen instructions to configure the security features, such as web security and bot management, based on your business requirements. For more information, see Add website protection configurations.

Configure WAF for multiple domain names

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose WAF > Configurations.
  3. On the top of the Configurations page, select Mainland China or Outside Mainland China.
  4. Add the domain names for which you want to enable WAF.
    1. Click Add Domain to WAF.
    2. In the Add Domain to WAF dialog box, select the domain name that you want to add.
      Note You can add only one domain name at a time. To add more domain names, repeat this step.
    3. Click OK.
  5. Configure protection.
    1. On the Configurations page, find the domain name that you want to manage and click Configure Protection in the Actions column.
    2. Follow the on-screen instructions to configure the security features, such as web security and bot management, based on your business requirements. For more information, see Add website protection configurations.

Add website protection configurations

Web security

FeatureParameterDescription
Web Intrusion PreventionStatusYou can turn on or turn off Web Intrusion Prevention.
ModeWeb Intrusion Prevention supports the following protection modes:
  • Block: blocks attacks immediately after they are detected.
  • Warn: sends alerts when attacks are detected, but does not block the attacks.
Protection Rule GroupWeb Intrusion Prevention supports the following protection rule groups:
  • Loose rule group: If Medium rule group settings result in a high false positive rate, we recommend that you select Loose rule group. The loose rule group has the lowest false positive rate, but the highest false negative rate.
  • Medium rule group: the default protection rule group.
  • Strict rule group: If you require stronger protection against path traversal, SQL injections, and command injections, we recommend that you select Strict rule group.
Decoding SettingsYou can specify the data formats that need to be decoded and analyzed by the RegEx protection engine.
  1. Click jiema.
  2. Select or deselect data formats based on your business requirements.
    • You cannot deselect the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
    • You can deselect the following formats: Multipart Data Parsing, JSON Data Parsing, XML Data Parsing, Serialized PHP Data Decoding, HTML Entity Decoding, UTF-7 decoding, Base64 Decoding, and Form Data Parsing.
  3. Click OK.
Note To enhance protection, the RegEx protection engine decodes and analyzes the request content in all formats. If the RegEx protection engine blocks requests that contain content in formats that you do not want to block, you can deselect the formats to reduce the false positive rate.
Advanced ProtectionStatusYou can turn on or turn off Positive Security Model.
Mode
  • Warn: triggers alerts, but does not block malicious requests.
  • Block: blocks malicious requests.

Bot management

FeatureParameterDescription
Allowed CrawlersStatusYou can turn on or turn off Allowed Crawlers.
Note This feature allows you to set a whitelist for authorized search engines, such as Google, Bing, Baidu, Sogou, 360, and Yandex. The crawlers of the search engines included in the whitelist are allowed to access all accelerated domain names. You can click Settings to enable or disable allowed crawlers based on your business requirements.
Typical Bot Behavior IdentificationStatusYou can turn on or turn off Typical Bot Behavior Identification.
Note This feature provides common algorithms to identify typical crawler behaviors. You can set relevant parameters and thresholds to identify advanced crawlers. You can click Settings to add algorithm rules based on your business requirements.
Bot Threat IntelligenceStatusYou can turn on or turn off Bot Threat Intelligence.
Note This feature leverages the computing capabilities of Alibaba Cloud to provide information about suspicious IP addresses of dialers, data centers, and malicious scanners. This feature also maintains a dynamic IP library of malicious crawlers and prevents crawlers from accessing specific domain names or paths. You can click Settings to edit intelligence rules based on your business requirements.
App ProtectionStatusYou can turn on or turn off App Protection.
Note This feature provides secure connections and anti-bot protection for native apps. You must integrate the Alibaba Cloud SDK.

Access control and throttling

FeatureParameterDescription
HTTP Flood ProtectionStatusYou can turn on or turn off HTTP Flood Protection.
Note After you enable this feature, WAF helps you defend against HTTP flood attacks and provides protection policies in different modes.
Mode
  • Prevention: Select this mode to reduce false positives if the traffic destined for your website is within the expected range. This is the default mode.
  • Protection-emergency: Select this mode if you are confident that traffic destined for your website is abnormal.
Scan ProtectionBlocking IPs Initiating High-frequency Web AttacksYou can turn on or turn off Blocking IPs Initiating High-frequency Web Attacks.
After you enable this feature, client IP addresses that initiate multiple attacks on your website in a short period of time are automatically blocked.
  • Click Settings to configure custom protection rules.
  • Click Unblock IP Address to manually unblock an IP address.
Directory Traversal ProtectionYou can turn on or turn off Directory Traversal Protection.
After you enable this feature, client IP addresses that initiate multiple directory traversal attacks on your website in a short period of time are automatically blocked.
  • Click Settings to configure custom protection rules.
  • Click Unblock IP Address to manually unblock an IP address.
Scanning Tool BlockingYou can turn on or turn off Scanning Tool Blocking. After you enable this feature, access requests from IP addresses of common scanners are automatically blocked.
Collaborative DefenseYou can turn on or turn off Collaborative Defense. After you enable this feature, access requests from the IP addresses in the Alibaba Cloud malicious IP library are automatically blocked.
BlacklistsStatusYou can turn on or turn off Blacklists.

This feature allows you to block requests from specified IP addresses or CIDR blocks, or limit requests from IP addresses in specified regions.

Note You can click Settings to add IP addresses or regions to the blacklist.
Custom Protection PolicyStatusYou can turn on or turn off Custom Protection Policy.

This feature allows you to create an access control rule and apply the access control rule to a specific object.

Note You can click Settings to add an access control rule.

View WAF logs and reports

After you add your website to WAF, you can view the information about attacks on a specific domain name and the protection results in the reports. For more information about logs and reports, see View WAF logs and reports.