The application protection feature is developed based on the runtime application self-protection (RASP) technology. This feature can detect attacks and provide protection during application runtime. You do not need to change code to use the application protection feature. You need to only install the RASP agent on the servers or containers on which your applications run. The feature can protect your applications against attacks that are launched by exploiting most unknown vulnerabilities. This topic describes how to use the application protection feature.
Feature description
Public preview
The application protection feature is available for commercial use from July 18, 2023. The public preview of the feature will end on August 17, 2023.
After July 13, 2023, you can no longer enable the application protection feature free of charge. You must purchase a quota for application protection to enable and use the feature. If you have applied for a trial of the application protection feature before July 18, 2023, you can use the feature free of charge until the end of the public preview.
How application protection works
The application protection feature adopts the RASP technology. The feature uses hooks to monitor the interactions between applications and other systems in real time. When suspicious behavior is detected in an application, the feature identifies and blocks attacks based on the context. This helps protect against application vulnerabilities, zero-day vulnerabilities, and in-memory webshells that are detected in the web processes on your servers. The feature is available only for Java applications.
Compatibility of the RASP agent
The application protection feature protects only processes that meet the following conditions. You can install the RASP agent only on these processes.
JDK: The Java Development Kit (JDK) version is 6 or later.
Middleware: The agent does not have specific requirements for the type and version of middleware. The following types of middleware are supported: Tomcat, Spring Boot, JBoss, WildFly, Jetty, Resin, Oracle WebLogic Server, WebSphere Application Server, Liberty, Netty, GlassFish, and middleware developed by Chinese vendors.
Operating system: Linux, Windows, or macOS operating systems are used.
Access methods
The application protection feature supports the automatic access and manual access methods. The following table describes the methods.
Access method | Description | Scenario |
Automatic access for servers and containers | You do not need to manually add applications to application protection or restart the applications. | You can use this method for 64-bit servers that are not added to an existing application group. Note If the processes that run on your server are automatically added to an application group and you want to migrate the processes to a different application group, you can remove the processes and then enable automatic access for your server. |
Manual access for servers | You must manually add applications to application protection and restart the applications. |
|
Manual access for containers |
Attack types
Prerequisites
A sufficient quota for application protection is purchased. For more information, see Purchase Security Center.
The Security Center agent on your server is online.
To check whether the Security Center agent on your server is online, perform the following operations: Go to the Assets > Host page. Click the Server tab. Find your server and view the icons in the Agent column. The
icon indicates that the Security Center agent is online If the Security Center agent is offline, you can troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline.
The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the Resource Access Management (RAM) user that is used. For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.
Step 1: Add applications for protection
Before you can use the application protection feature, you must create an application group and add the processes that you want to protect to the application group.
If you have questions about how to configure and use the feature, you can join the DingTalk group 24655011781 for technical support.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the page that appears, click the Application Configurations tab. Then, click Create Application Group.
In the Create Application Group step of the panel that appears, enter a name and description for the application group that you want to create. Then, click Next.
We recommend that you enter a name based on the processes that you want to protect. The name must be unique. After you complete this step, an application group is created.
In the Automatic/Manual Access step, add processes to the application protection feature by using the automatic or manual access method.
(Recommended) Automatic access for servers and containers
The automatic access method integrates the application protection capabilities into processes by using JVM Attach when the processes are running. If you use this method, the system dynamically loads and unloads the application protection capabilities when processes are running. This ensures business continuity without the need to restart the processes.
ImportantThe first time you add processes to the application protection feature, we recommend that you perform the operation during off-peak hours.
If you use the automatic access method, you can select only 64-bit servers that are not automatically added to an existing application group.
A server can be automatically added to only one application group.
You can enable automatic access for servers that are added by using the manual access method. If you uninstall the RASP agent from the servers, the servers are automatically added to the application protection feature.
Click Select Asset for Application Protection. In the Select Asset dialog box, select the assets that you want to add and click Determine.
After you select a server, the application protection feature automatically identifies and adds the Java processes on the server or on a container hosted on the server. You do not need to restart the processes. You can select up to 100 servers at a time.
NoteAfter you select a server, the Determine button changes to Synchronizing, which indicates that Security Center is loading the server to the list of selected servers.
Perform the following operations based on the number of servers that you want to add:
If you want to add only one server, turn on the switch in the Application Protection column of the server. After the RASP agent is installed, click Next.
If you want to add multiple servers, select the servers, click Batch Enable Protection, and then click Next.
You can select up to 100 servers at a time.
After you turn on the switch in the Application Protection column for a server or you select multiple servers and click Batch Enable Protection, Security Center automatically identifies and adds the Java processes on the selected servers to the application protection feature. During this process, Installing is displayed in the Application Protection column. This process may require approximately 10 minutes to complete. The period of time varies based on your network environment. If multiple Java processes are running on a server, Security Center adds the processes at a time. After the Java processes are added, the switch in the Application Protection column is turned on. You can view the protection status of the application instances in the Protection Status column. A Java process in an application group is considered an application instance. The following list describes the valid values of the Protection Status column:
Disabled: The server is not added or failed to be added to the application protection feature.
All Added: The server is added to the application protection feature.
NoteIf no processes on the server can be added to the application protection feature or the processes on the server are not supported by the application protection feature, the list in the Access Details panel is empty, and All Added is displayed in the Protection Status column. Subsequently, if a process that can be added to the application protection feature runs on the server, the process is automatically added.
You can click Details in the Actions column to view the status of the added Java processes.
Manual access for servers
Click the Manual Access tab. Follow the instructions on the Host Access Guide tab to install the RASP agent and then restart your applications. Then, click Next.
Before you restart your applications, you must complete related deployment based on the runtime environment of the applications. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace
{appId}
with the application ID that is displayed on the Host Access Guide tab when you configure the parameters. The following figure shows the position of an application ID.Runtime environment
Parameter setting
Tomcat on Linux
Add the following configurations to the {Tomcat installation directory}/bin/setenv.sh file:
export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"
If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory.
Tomcat on Windows
Add the following configurations to the <Tomcat installation directory>\bin\setenv.bat file:
set CATALINA_OPTS=%CATALINA_OPTS% "-javaagent:C:\Program Files (x86)\Alibaba\Aegis\rasp\apps\{appId}\rasp.jar"
If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory.
Jetty
Add the following configurations to the {JETTY_HOME}/start.ini configuration file:
--exec -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar
Spring Boot
Add the -javaagent parameter to the startup command for the Spring Boot process:
java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar
For example, the following command is the original startup command of the Spring Boot process:
java -jar app.jar
Before you start the Spring Boot process to install the RASP agent, you must change the startup command to the following command:
java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar -jar app.jar
JBoss or WildFly
Standalone Mode
Open the <JBoss installation directory>/bin/standalone.sh file and add the following content below # Display our environment:
JAVA_OPTS="${JAVA_OPTS} -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"
Domain Mode
Open the <JBoss installation directory>/domain/configuration/domain.xml file and find the <server-groups> tag. Then, find the <jvm> tag in the <server-group> tag based on which you want to install the RASP agent and add the following content:
<jvm-options> <option value="-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"/> </jvm-options>
Liberty
Go to the <Liberty installation directory>/${server.config.dir} directory. The default directory is /opt/ibm/wlp/usr/servers/defaultServer/jvm.options. When you create or modify the jvm.options file, add the following content to the file:
-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar
Resin
Resin 3
Open the <Resin installation directory>/conf/resin.conf file. Find the <jvm-arg> tag in the <server-default> tag and add the following content:
<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>
Resin 4
Open the <Resin installation directory>/conf/cluster-default.xml file. Find the <jvm-arg-line> tag in the <server-default> tag and add the following content:
<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>
You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.
If you no longer want the application protection feature to protect the processes on your server or container, you can uninstall the RASP agent. To uninstall the RASP agent, follow the instructions that are described on the RASP Agent Uninstallation tab.
Manual access for containers
Click the Manual Access tab. Follow the instructions on the Add Container tab to install the RASP agent and then restart your container. Then, click Next.
Before you restart your container, you must complete related deployment based on the runtime environment of the container. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace
{manager.key}
with the value ofDmanager.key
that is displayed on the Add Container tab when you configure the parameters.Runtime environment
Parameter setting
Spring Boot
To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications.
Startup command before the change:
CMD ["java","-jar","/app.jar"]
Startup command after the change:
CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]
Tomcat
To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile:
ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"
To install the RASP agent when the container is being started, add the following parameter to the startup command:
docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"
For example, the original startup command of a container is
docker -itd --name=test -P image name
. Before you start the container to install the RASP agent, you must change the startup command todocker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name
.WebLogic
You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.
In the Configure Protection Mode After No False Alerts Generated step, configure a protection policy and click OK.
ImportantThe default protection mode is Monitor. We recommend that you use the Monitor mode for two to five days. If no false positives are reported during this period of time, you can change the protection mode to Block. If a false positive is reported, you can configure a whitelist rule to block the detection type for which the false positive is reported. For more information, see Configure a whitelist.
Parameter
Description
Application Group Name
The name of the application group. You cannot change the name in this step.
Protection Mode
The protection mode of the application group. Valid values:
Monitor: monitors your applications to detect attacks. The running of the applications in the application group is not affected. If an attack is detected, an alert is generated. For this alert, Processing method is Monitoring.
Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Processing method is Blocking.
Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.
Detection timeout
The maximum timeout period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues regardless of whether the detection logic is incomplete. We recommend that you use the default value.
SOURCE IP judgment method
The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses. The standard request headers include X-Real-IP, True-Client-IP, and X-Forwarded-For.
If you select Taken from the value that defines the header, the system preferentially obtains source IP addresses based on the values of custom headers. If the system cannot obtain source IP addresses based on the values of custom headers, the value Default takes effect.
Detection type
The types of attacks to detect. We recommend that you retain the default settings. To retain the default settings, select Select All. For more information, see Attack types.
Step 2: View application analysis data
After you add an application process to the application protection feature, you can view application statistics, such as statistics on application behavior, application access, and attack alerts, on the Application Analysis tab.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Application Analysis tab, view application statistics, such as statistics on application behavior, application access, and attack alerts.
Section
Description
Application Behavior Analysis (marked 1 in the preceding figure)
Displays statistics on application behavior in the previous seven days.
Total Requests: the total number of application requests that are monitored by the application protection feature after your application processes are added to the application protection feature.
Total Blocks: the total number of attacks that are blocked by the application protection feature.
Total Monitored Attacks: the total number of attacks that are monitored by the application protection feature.
Application Access Statistics (marked 2 in the preceding figure)
Displays application access-related statistics.
Application Group: the total number of application groups that are created within the current Alibaba Cloud account.
Access instance: the number of application processes that are added to the application protection feature.
Authorized Instances: the number of application processes that are added to the application protection feature and are protected by the application protection feature as expected. The application processes are considered authorized instances. When the application protection feature protects an application process, the quota for application protection is deducted by 1.
Remaining Quota: the remaining quota for application protection.
Latest Attack Alert (marked 3 in the preceding figure)
Displays attack alerts that are generated in the previous seven days. If you want to view more attack alerts, you can click Details to go to the Attack Alerts tab. This tab displays all attack alerts.
IP Addresses of Top 10 Attacked Servers (marked 4 in the preceding figure)
Displays the top 10 source IP addresses from which the most attacks are launched in the previous seven days.
Attack Type Distribution (marked 5 in the preceding figure)
Displays the top 5 attack types that are detected in the previous seven days and the distribution of the attack types. If you want to view the number and proportion for each type of attack, you can click Details.
Attack Prevention Trend (marked 6 in the preceding figure)
Displays the number of requests that are monitored or blocked and the distribution of the requests by risk level in the previous seven days. The risk level can be high, medium, or low.
Step 3: View alerts
After you add application processes to the application protection feature, you can perform the following steps to view all alerts that are detected:
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
Click the Attack Alerts tab and view information about alerts.
On the Attack Alerts tab, you can view the statistics on application behavior and the attacks statistics of your applications in charts. You can also view the details about each attack in the lower part of the tab. The details include the type, URL, behavior data, and handling method of an attack.
View statistics of application behavior
The Applied behavior statistics section displays the application behavior that is monitored by the application protection feature and the behavior types. Both normal behavior and attack behavior are monitored.
View attack statistics
The Attack statistics section displays the numbers of attacks that are detected by the application protection feature and the types of the attacks.
View attack details
The list in the lower part of the Attack Alerts tab displays the details about each attack. In the list, you can view the time, type, behavior data, application directory, URL, and handling method of each attack. You can also view the behavior details about an attack. To view the behavior details about an attack, find the attack and click Details in the Operation column. In the Details panel, you can view the behavior details, including vulnerability details, request details, and server details.
More features
Configure a whitelist
You can configure a whitelist to allow requests from specific IP addresses. If requests match a whitelist rule that you specify, Security Center does not block or generate alerts on the requests.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
Click the Protection Whitelist tab. Then, click Configure Whitelist.
In the Configure Whitelist panel, configure the parameters. The following table describes the parameters.
Parameter
Description
Rule name
Enter a name for the rule in the Rule name field.
Attack Source IP Addresses
Enter the attack source IP addresses that you want to add to the whitelist.
You can enter up to 100 IP addresses or CIDR blocks.
ImportantIf you enter 0.0.0.0/0, Security Center allows requests from all IP addresses. Proceed with caution.
Request Path
Specify the path that is used to match requests from the IP addresses in the whitelist. You can select one of the following matching methods for the path:
Prefix Match: If requests are sent from IP addresses in the whitelist and the prefixes of the request paths match a specified prefix, the requests are allowed. Example:
http://39.104.XX.XX:8080/
.Suffix Match: If requests are sent from IP addresses in the whitelist and the suffixes of the request paths match a specified suffix, the requests are allowed. Example:
/Vulns/file/io/read
.
NoteWhen Security Center matches a request path against the specified condition, Security Center ignores the content in the query string. For example, the request path is
http://127.0.XX.XX:8088/Vulns/file/io/read?path=/etc/passwd
. Security Center ignores the question mark (?) and the content that follows the question mark (?). In this example,?path=/etc/passwd
is ignored.Detection type
If you select a detection type, Security Center ignores the detection result of the selected type.
Click Next. Then, select the application groups on which you want the whitelist rule to take effect and click OK.
After you complete the configuration, the whitelist rule takes effect on all application instances that are in the online state in the selected application groups.
Manage the remaining quota
View the remaining quota for application protection
When an application instance is protected, the quota for application protection is deducted by 1. You can use the application protection feature only when you have a sufficient quota. After you purchase a quota for application protection, you can view the remaining quota on the Application Configurations tab of the Application Protection page.
Increase the quota for application protection
If the number of application instances that require protection exceeds the remaining quota, you can purchase an additional quota. To purchase an additional quota, go to the Application Protection page and click the Application Configurations tab. Then, click Upgrade to the right of Remaining Quota. In the panel that appears, configure the Quota for Application Protection parameter.
Manage application instances
After you create an application group, you can perform the following operations to manage the application instances in the application group:
View the authorized instances that are protected by the application protection feature
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Authorized Instances column.Authorized Instances
View the application instances that are added to the application protection feature
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Access instance column. If the
icon appears to the right of a value in the RASP Version column, a new version of the RASP agent is available for the application instance. We recommend that you restart your application to automatically update the agent.
The following list describes the status of an application instance:
Online and authorized: The application instance is protected by the application protection feature.
Online and unauthorized: The application instance is added to the application protection feature but is not protected because the quota for application protection is insufficient. You can click Upgrade to the right of Remaining Quota to purchase an additional quota.
Offline: The application instance is not added to the application protection feature.
Add an application instance
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Operation column. In the Access Management panel, add your application process to the application group by using the automatic or manual access method. The Automatic Access tab displays only the servers that are selected for the application group.
Remove an application instance
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Operation column. In the Access Management panel, uninstall the RASP agent based on the method that you use to add your application process.
Automatic Access: On the Automatic Access tab, select the server from which you want to uninstall the RASP agent and click Batch Disable Protection. You can also turn off the switch in the Application Protection column for the server.
ImportantIf you no longer require application protection for a server, you can turn off the switch in the Application Protection column and remove the server.
On the Automatic Access tab, find the server that you want to remove and click Delete in the Actions column. You can also select multiple servers and click Batch Delete to remove the servers from the application group at a time.
Manual Access: To uninstall the RASP agent, remove the JVM parameters that are used to add your application process and then restart the application.
Edit a protection policy
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Protection strategy in the Operation column. In the Protection strategy panel, modify the settings of parameters such as Protection Mode and Detection timeout.
Delete an application group
After you delete an application group, the application protection feature is disabled for all application instances in the application group. Before you delete an application group, make sure that you no longer need to protect the application instances in the application group.
Before you delete an application group, make sure that no authorized instances exist in the application group or the switch in the Application Protection column is turned off for all servers that are displayed on the Application Protection tab.
On the Application Configurations tab of the Application Protection page, find the application group that you want to delete and click Delete in the Operation column. In the message that appears, click OK.
FAQ
What types of applications can be protected by the application protection feature?
Only Java applications can be protected by the application protection feature.
Does the application protection feature affect the running of applications?
The impact on running applications is almost negligible because the application protection feature provides good control over performance, compatibility, and stability. In actual tests, the CPU overhead is less than 1%, the memory overhead is less than 30 MB, and the response time (RT) is less than 1 ms. The application protection feature provides the protection modes of Monitor, Block, and Disable and also provides the soft fuse mechanism. This minimizes interference to running applications.
How do I use the application protection feature to protect applications?
The application protection feature provides a lower false positive rate on attack detection than traditional detection techniques that are based on traffic characteristics. We recommend that you attach importance to the attacks detected by the application protection feature. After you add an application to the application protection feature, the feature protects the application in Monitor mode, which is the default protection mode. After the application runs stably for a period of time, you can change the protection mode from Monitor to Block.
Why is no attack data displayed in the Attack statistics section?
This issue may be caused by the following reasons:
The application is not added to the application protection feature. You can add your application process to the application protection feature again. For more information, see Step 1: Add applications for protection.
No real attacks are detected. Unlike traditional firewalls, the application protection feature records only real attacks. Traditional firewalls report attacks when the presence of malicious attack characteristics in packets is detected. However, the presence of malicious attack characteristics does not indicate real attacks. For example, the attack requests that exploit PHP vulnerabilities are ineffective in the Java environment. If a real attack is detected, the attacker has broken through the outer defense and can enter the internal environment of the application to perform risky operations. An application may not have a large number of real attacks. However, you must intercept attacks or fix vulnerabilities in a timely manner when real attacks are detected.