Web Application Firewall:Protect an ECS instance from HTTP flood attacks

Prerequisites

Before you begin, make sure that:

• Your ECS instance hosts a web service accessible over a public IP address

• Your ECS instance is in one of the following supported regions:

  • China regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Qingdao), China (Hong Kong)

  • Global regions: Malaysia (Kuala Lumpur), Indonesia (Jakarta), or Singapore

If your ECS instance is not in a supported region, use CNAME access instead.

Step 1: Activate a pay-as-you-go WAF instance

1. Go to the Web Application Firewall 3.0 (Pay-As-You-Go) purchase page.

2. Set Product Type to Web Application Firewall 3.0 and Billing Method to Pay-as-you-go, then configure the following settings.

   Parameter	Description
   Region	The region of the WAF instance. Set it to the same region as your ECS instance. Options: Chinese Mainland or Outside Chinese Mainland.
   Version	Defaults to Pay-as-you-go 3.0. No configuration needed.
   Traffic billing protection threshold	Keep the default value. You can change it later.
   Service-linked role	WAF needs access to your cloud resources for traffic control and monitoring. Click Create Service-Linked Role. The system automatically creates the AliyunServiceRoleForWaf role. Do not modify this role manually.

3. Click Buy Now and complete the payment.

Step 2: Onboard the ECS instance to WAF

1. Log in to the Web Application Firewall 3.0 console. In the top menu bar, select a resource group and a region (Chinese Mainland or Outside Chinese Mainland). In the left navigation pane, click Onboarding, select the Cloud Native tab, then select Elastic Compute Service (ECS) from the cloud product type list.

2. Find your ECS instance and click Add Now in the Actions column. If the instance is not listed, click Synchronize Assets in the upper-right corner.

   

3. Configure your website protocol and port:

   1. In the Select instances & ports to protect section, click Add Port in the Actions column.

   2. In the Add Port dialog box, configure the port and protocol based on your website type.

      Website type	Protocol	Port	Additional configuration
      HTTP (http://yourdomain.com)	HTTP	80	None
      HTTPS (https://yourdomain.com)	HTTPS	443	Upload SSL certificate or select existing
      Custom port (http://yourdomain.com:8080)	HTTP/HTTPS	Custom port	Match your actual configuration

   For HTTPS, configure the following additional settings:

   Upload SSL certificate or select existing

   1. Enter the port number in the Port field.

   2. In Protocol Type, select HTTPS.

   3. Keep the default settings for HTTP/2, TLS Version, Cipher Suite, and Additional Certificate.

   4. In the Default Certificate section, choose how to provide your certificate:

      Manual upload

      — for certificates not managed in Alibaba Cloud Certificate Management Service (Original SSL Certificate).

      • Certificate Name: Enter a unique name. It cannot match an existing certificate name.

      • Certificate File: Paste the certificate content from a text editor. Accepted formats: PEM, CER, or CRT.

        • Example: -----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----

        • If your certificate is in PFX or P7B format, use the certificate tool to convert it to PEM first.

        • If the certificate includes an intermediate certificate, paste the server certificate first, then the intermediate certificate.

      • Private Key: Paste the private key content. The private key must be in PEM format.

        • Example: -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----

      Select existing certificate

      — for certificates already issued or uploaded to Alibaba Cloud Certificate Management Service (Original SSL Certificate). Select the certificate from the dropdown list.

   If the console displays "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", the certificate chain is incomplete. Verify the certificate content, then re-upload it in the Certificate Management Service console. See Upload, synchronize, and share SSL certificates.

4. Keep the default values for the other settings and click OK. Once onboarding is complete, the ECS instance protection status changes to Full Protection. WAF automatically creates a protected object named in the format instance ID-port-asset type. By default, standard protection rules including Web Core Protection are enabled. Manage protected objects under Protection Configuration > Protected Objects.

5. Verify that basic protection is active: append an attack string to your URL, such as http://yourdomain/alert(xss). If a WAF 405 block page appears, protection is working.

Step 3: Configure HTTP flood protection

HTTP flood attacks overwhelm servers with a high volume of requests. Configure a protection template to defend against them.

1. In the left navigation pane, choose Protection Configuration > Core Web Protection.

2. In the HTTP Flood Protection section at the bottom of the page, click Create Template.

   

3. In the Create Template panel, configure the following settings.

   Warning

   Strict Mode applies only to web (including H5) services. Do not apply it to API endpoints or native applications — it will cause excessive false blocking.

   Parameter	Description
   Template Name	Enter a descriptive name, such as ECS-HTTP-Flood-Protection.
   Save as Default Template	Keep it off.
   Defense Mode	See the mode comparison below.
   Action	Select JavaScript Validation.
   Apply To	In the Available Objects section, select the protected object that corresponds to your ECS instance. Click the icon to move it to the Selected section.

   Choose a defense mode:

   Mode	How it works	When to use
   Normal Mode	Blocks requests with significant abnormal characteristics. Low false positive rate.	Start here for most cases — suitable for daily operations and stable traffic.
   Strict Mode	Uses high-intensity detection. More effective against floods, but has a higher false positive risk.	Switch to this only when Normal Mode is insufficient and you observe response delays or abnormal CPU/memory load.

4. Click OK.

   

Step 4: Monitor attack traffic

After completing the configuration, go to the Overview page from the left navigation pane. The Protection Overview and Top 10 Attacks sections provide a real-time view of blocked attacks and traffic patterns.

Release resources to stop billing

If you no longer need WAF after completing this guide, follow these steps to stop billing.

1. In the left navigation pane, go to Overview. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of the WAF instance.

2. If the following page appears, click Go to Console in the upper-right corner. If this page is not shown, skip this step.

   

3. On the right side of the page, click Terminate WAF Service. In the dialog box, select the relevant checkboxes and click OK.

   

What's next

Add more protection modules:

• Custom Rules — configure frequency control rules or match conditions to block specific attack patterns

• Whitelist — allow requests from trusted IP addresses

• IP Blacklist — block known malicious IP addresses

• Geo-blocking — block traffic from specific geographic regions with a single click

Explore other onboarding methods:

• Onboard ECS instances in cloud native mode — configure TLS versions, cipher suites, or multiple certificates (see Enhance security protection (HTTPS)); to configure Layer 7 proxy settings or traffic tagging, see Obtain real client information

• CNAME access — add resources by domain name; supports more features with fewer restrictions

Manage costs:

• Traffic billing protection — set a QPS threshold to cap costs during large-scale attacks

• SeCU resource plan — offset pay-as-you-go fees with a prepaid resource plan

• Subscription WAF — switch to subscription billing for a better unit price if you plan to use WAF long term