Dynamic Route for CDN (DCDN) is integrated with Web Application Firewall (WAF) to protect your websites from vulnerabilities and attacks such as SQL injection, webshells, and cross-site scripting (XSS). WAF prevents your domain names from being identified as dangerous websites by browsers and search engines. In addition, WAF protects your websites from spam content, malicious pop-up windows, domain hijacking, website vulnerabilities, Trojans, data breaches, and password leakage. After you activate WAF, you must configure protection policies for different accelerated regions. This way, WAF can process traffic in different regions based on domain names.

Background information

WAF is a security service that protects your websites and applications. WAF identifies malicious web traffic, scrubs and filters the malicious traffic, and then forwards safe traffic to your server. This protects your web servers from attacks and ensures data and business security. For more information about features of WAF, see What is WAF?.

Prerequisites

  • WAF Pro Edition or WAF Business Edition is activated. If you have not activated WAF Pro Edition or WAF Business Edition, submit a ticket.
  • Before you enable WAF for an accelerated domain name, make sure that the accelerated region of the domain name is set to Global or Global (Excluding Mainland China). For more information about how to change the accelerated region, see Modify basic information.

Value-added services

For more information about how to configure features of WAF, see the WAF documents. The following table lists the features supported by WAF Business Edition.
Feature Business
Scan protection Supported
Account security Supported
HTTP flood protection Supported
IP address blacklist Supported
Rate Limit Supported
Bot threat intelligence rules Supported
JavaScript validation Supported
Crawler whitelists Supported
Web application protection Supported
Zero-day attack protection Supported
Block and Warn protection modes Supported
Decoding and analytics of request data in specified formats Supported
Custom rule groups Supported
HTTP access control list (ACL) policies Supported
Log Service Supported of a storage capacity up to 3 TB

Configure WAF for one domain name

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Configure page, find the domain name that you want to manage and click Domain Names in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click Security Settings.
  5. On the WAF tab, turn on the WAF - Mainland China switch.
  6. Click Modify Configurations.
  7. Follow the instructions on the page to configure the protection features on the Web Security, Bot Management, and Access Control/Throttling tabs.
    Item Parameter Description
    Web Security Status You can enable or disable this feature.
    Mode Web intrusion prevention supports the following protection modes:
    • Block: immediately blocks attacks after the attacks are detected.
    • Warn: sends alerts after attacks are detected but does not block the attacks.
    Protection Rule Group Web intrusion prevention supports the following protection rules:
    • Loose rule group: If the Medium rule group causes a high rate of false positives, we recommend that you select Loose rule group. The loose rule group has the lowest false positive rate but the highest false negative rate.
    • Medium rule group: the default policy.
    • Strict rule group: If you require stronger protection against path traversal, SQL injections, and command execution attacks, we recommend that you select Strict rule group.
    Decoding Settings You can specify the data formats that need to be decoded and analyzed by the RegEx protection engine.
    1. Click jiema to select data formats.
    2. Select or clear data formats based on your business requirements.
      • You cannot clear the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
      • You can clear the following formats: Multipart Data Parsing, JSON Data Parsing, XML Data Parsing, Serialized PHP Data Decoding, HTML Entity Decoding, UTF-7 decoding, Base64 Decoding, and Form Data Parsing.
    3. Click OK.
    Note To ensure higher performance, the RegEx protection engine decodes and analyzes the request content in all formats by default. If the RegEx protection engine blocks requests that contain content in formats that you do not want to block, you can clear the formats to reduce the false positive rate.
    Bot Management (Business Edition only) Allowed Crawlers Status You can enable or disable this feature.
    Note This feature allows you to use crawlers on specific search engines that are included in the whitelist, such as Google, Bing, Baidu, Sougou, 360, and Yandex. Crawlers can be used on all domain names of these websites. You can click Settings to enable or disable this feature based on your business requirements.
    Typical Bot Behavior Identification Status You can enable or disable this feature.
    Note This feature provides general algorithms to identify typical crawler behavior. You can configure relevant parameters and thresholds to prevent advanced crawlers. You can click Settings to add algorithm rules based on your business requirements.
    Bot Threat Intelligence Status You can enable or disable this feature.
    Note This feature provides information about suspicious IP addresses of dialers, data centers, and malicious scanners based on the computing capabilities of Alibaba Cloud. This feature also maintains a dynamic IP library of malicious crawlers and prevents crawlers from accessing specific domain names or paths. You can click Settings to configure this feature based on your business requirements.
    Access Control/Throttling IP Blacklist Status You can enable or disable this feature.
    Note You can use the IP address blacklist to block requests from specified IP addresses or CIDR blocks, or limit requests from IP addresses in specified regions. You can click Settings to add IP addresses or regions to the blacklist.
    Custom Protection Policy Status You can enable or disable this feature.
    Note You can customize an access control rule and apply it to a specific object. A default rule is provided. You can click Settings to add a rule.

Configure WAF for multiple domain names

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose WAF > Domain Names.
  3. Add the domain name for which you want to enable WAF.
    1. On the Domain Names page, click Add Domain to WAF.
    2. In the Add Domain to WAF dialog box, select the domain name that you want to add.
      Note You can add only one domain name at a time. To add multiple domain names, repeat this step.
    3. Click OK.
  4. Configure protection.
    1. On the Domain Names page, find the domain name and click Configure Protection.
    2. Follow the instructions on the page to configure the protection features on the Web Security and Access Control/Throttling tabs.
      Item Parameter Description
      Web Security Status You can enable or disable this feature.
      Mode Web intrusion prevention supports the following protection modes:
      • Block: immediately blocks attacks after the attacks are detected.
      • Warn: sends alerts after attacks are detected but does not block the attacks.
      Protection Rule Group Web intrusion prevention supports the following protection rules:
      • Loose rule group: If the Medium rule group causes a high rate of false positives, we recommend that you select Loose rule group. The loose rule group has the lowest false positive rate but the highest false negative rate.
      • Medium rule group: the default policy.
      • Strict rule group: If you require stronger protection against path traversal, SQL injections, and command execution attacks, we recommend that you select Strict rule group.
      Decoding Settings You can specify the data formats that need to be decoded and analyzed by the RegEx protection engine.
      1. Click jiema to select data formats.
      2. Select or clear data formats based on your business requirements.
        • You cannot clear the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
        • You can clear the following formats: Multipart Data Parsing, JSON Data Parsing, XML Data Parsing, Serialized PHP Data Decoding, HTML Entity Decoding, UTF-7 decoding, Base64 Decoding, and Form Data Parsing.
      3. Click OK.
      Note To ensure higher performance, the RegEx protection engine decodes and analyzes the request content in all formats by default. If the RegEx protection engine blocks requests that contain content in formats that you do not want to block, you can clear the formats to reduce the false positive rate.
      Bot Management (Business Edition only) Allowed Crawlers Status You can enable or disable this feature.
      Note This feature allows you to use crawlers on specific search engines that are included in the whitelist, such as Google, Bing, Baidu, Sougou, 360, and Yandex. Crawlers can be used on all domain names of these websites. You can click Settings to enable or disable this feature based on your business requirements.
      Typical Bot Behavior Identification Status You can enable or disable this feature.
      Note This feature provides general algorithms to identify typical crawler behavior. You can configure relevant parameters and thresholds to prevent advanced crawlers. You can click Settings to add algorithm rules based on your business requirements.
      Bot Threat Intelligence Status You can enable or disable this feature.
      Note This feature provides information about suspicious IP addresses of dialers, data centers, and malicious scanners based on the computing capabilities of Alibaba Cloud. This feature also maintains a dynamic IP library of malicious crawlers and prevents crawlers from accessing specific domain names or paths. You can click Settings to configure this feature based on your business requirements.
      Access Control/Throttling IP Blacklist Status You can enable or disable this feature.
      Note You can use the IP address blacklist to block requests from specified IP addresses or CIDR blocks, or limit requests from IP addresses in specified regions. You can click Settings to add IP addresses or regions to the blacklist.
      Custom Protection Policy Status You can enable or disable this feature.
      Note You can customize an access control rule and apply it to a specific object. A default rule is provided. You can click Settings to add a rule.