This topic describes how to use Anti-DDoS Origin and Web Application Firewall (WAF) to provide protection. This solution protects your website against Layer 4 distributed denial of service (DDoS) attacks, Layer 7 web attacks, and HTTP flood attacks.


  • An Elastic Compute Service (ECS) instance is created and has web applications installed. The ECS instance has a public IP address, and your website has a domain name.
    Note If your website provides services in the Chinese mainland, the domain name of your website must have an Internet Content Provider (ICP) license. Otherwise, you cannot add the domain name to WAF instances in the Chinese mainland to protect your website.
  • An Anti-DDoS Origin Enterprise instance is purchased. For more information, see Purchase an Anti-DDoS Origin Enterprise instance.
    Note When you purchase an Anti-DDoS Origin Enterprise instance, you must select a region. Make sure that the Anti-DDoS Origin Enterprise instance and the ECS instance reside in the same region.
  • A WAF instance is purchased. For more information, see Purchase a subscription WAF instance.

Background information

You can use Anti-DDoS Origin Enterprise to mitigate DDoS attacks for your website. If your website encounters web attacks and HTTP flood attacks, we recommend that you use WAF to protect your website. For more information about WAF, see What is WAF?.

If you use Anti-DDoS Origin Enterprise and WAF to protect your website, you must add your website to WAF and then add the IP address of the WAF instance to Anti-DDoS Origin Enterprise for protection. In this case, all service traffic is first scrubbed by WAF, and only normal traffic is forwarded to the origin server. Attack traffic, such as DDoS attacks, web attacks, and HTTP flood attacks, is blocked.


  1. Add your website to WAF.
    1. Log on to the WAF console.
    2. In the top navigation bar, select the Chinese Mainland or International region.
      WAF automatically determines the specific region based on the location of the origin server.
    3. In the left-side navigation pane, choose Asset Center > Website Access.
    4. Click Add Domain Name.
      You can add your website in two modes: CNAME and transparent proxy. In CNAME mode, the website can be automatically or manually added. In transparent proxy mode, only origin servers that are deployed in the China (Beijing) region are supported.

      This topic describes how to add a website in CNAME mode.

    5. Optional:On the Add Domain Name page, click Manually Add Other Websites. If the Add Domain Name page does not appear, skip this step.
    6. Complete the configurations in the Enter your website information step of the Add Domain Name wizard and click Next.
      You must specify the following website parameters:
      • Domain Name: Enter the domain name of the website.
      • Protocol Type: Select the protocol supported by the website. If your website supports HTTPS, select HTTPS and upload the certificate after you add the website. For more information, see Upload an HTTPS certificate.
      • Destination Server (IP Address): Select IP and enter the public IP address of the ECS instance.
      • Destination Server Port: After you specify Protocol Type, the server port is automatically matched. You can also specify a non-standard server port. For more information, see View the ports supported by WAF.
      • Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF: Select No.

        If you configure a Layer 7 proxy such as Anti-DDoS Pro, Anti-DDoS Premium, or Content Delivery Network (CDN) before WAF, the requests from a client are forwarded to the Layer 7 proxy before they reach WAF. Anti-DDoS Origin Enterprise is not a Layer 7 proxy. In this case, select No.

      For more information about the website parameters, see Add domain names.

    7. Click Completed. Return to the website list.
      A CNAME record is created for the added website. You can obtain the CNAME record of WAF from the website list.CNAME record
    8. Run the ping the CNAME record of WAF command on your computer to obtain the IP address of the WAF instance.
  2. Configure your origin server to allow the back-to-origin Classless Inter-Domain Routing (CIDR) blocks of WAF.
  3. Change the DNS settings to resolve the domain name of the website to the CNAME record of WAF that you obtain in Step 1.
    For more information, see Change a DNS record.
    After you change the DNS settings, all requests sent to your website are forwarded to WAF for traffic scrubbing. WAF blocks web attacks and HTTP flood attacks and only forwards normal traffic to the origin server.

    The WAF instance cannot mitigate volumetric DDoS attacks. If your service encounters volumetric DDoS attacks, the performance of the WAF instance deteriorates, which affects service forwarding. Therefore, you must use an Anti-DDoS Origin Enterprise with the WAF instance to protect your service from DDoS attacks.

  4. Add the IP address of the WAF instance to your Anti-DDoS Origin Enterprise instance for protection.
    After you add the IP address of the WAF instance, the Anti-DDoS Origin Enterprise instance provides unlimited protection. The Anti-DDoS Origin Enterprise instance automatically scrubs service traffic to mitigate DDoS attacks.