All Products
Search

This Product

    Object Storage Service:How to prevent malicious traffic generation on OSS

    Document Center

    Object Storage Service:How to prevent malicious traffic generation on OSS

    Last Updated:Mar 20, 2026

    Unauthorized access to your Object Storage Service (OSS) buckets can cause sudden spikes in bandwidth or traffic, resulting in unexpected outbound traffic fees. In severe cases, your bucket may be moved to a sandbox, making it unavailable.

    OSS provides two methods to stop malicious traffic. Choose based on whether your bucket must remain publicly accessible:

    MethodUse this when
    Set the bucket ACL to privateYour bucket does not need to be publicly accessible
    Use WAF for protectionYour bucket must remain publicly accessible but needs traffic filtering

    Method 1: Set the bucket ACL to private

    A bucket with public-read permission allows anyone on the internet to access its objects, including malicious actors who can generate high traffic at your expense.

    Set the bucket's Access Control List (ACL) to private. Only requests authenticated with valid credentials can then access the bucket, blocking unauthenticated traffic entirely.

    For steps, see Bucket ACL.

    Method 2: Use WAF for protection

    Use Web Application Firewall (WAF) 3.0 to filter malicious requests before they reach your bucket. This method works for buckets that must stay publicly accessible.

    Note: To configure mitigation policies based on custom rules, make sure your WAF edition supports the target protection type. The Frequency Control protection type is supported only by the subscription Enterprise and Ultimate editions and the pay-as-you-go edition.

    Step 1: Purchase a WAF 3.0 instance

    Purchase a WAF 3.0 instance.

    Step 2: Add your domain to WAF using a CNAME record

    WAF sits in front of your bucket by routing traffic through a custom domain. You need to bind a custom domain to your bucket, add it to WAF, then update your DNS to point the domain to WAF.

    In the OSS console:

    Bind a custom domain name to the target bucket. When binding, do not resolve the CNAME record to the bucket domain name.

    For steps, see Access OSS using a custom domain name.

    In the WAF console:

    1. Add a domain name. Set the custom domain name as the domain to protect and the bucket domain name as the origin server domain name. For steps, see Add a domain name.

    2. Copy the WAF CNAME address for the domain:

      1. In the left navigation pane, choose Provisioning > CNAME Access.

      2. In the Domain/CNAME list, find the domain you added and copy its WAF CNAME address.

      WAF CNAME address

    In the Alibaba Cloud DNS console:

    Add a CNAME record for the custom domain name that points to the WAF CNAME address. For steps, see Change a DNS record.

    DNS CNAME record configuration

    Step 3: Configure mitigation policies

    After you add the domain, WAF automatically adds it as a protected object and enables basic protection rules. The default settings use the medium rule group in Block mode.

    To configure additional policies such as rate limiting, see Configure mitigation policies.