Web Application Firewall:Protect an ECS instance from HTTP flood attacks

Web Application Firewall (WAF). blocks malicious traffic, DDoS attacks, and automated threats before they reach your web applications. This guide shows you how to onboard your ECS instance to WAF and configure HTTP flood attack defense.

Applicable scope

• The ECS instance hosts a web service that is accessible over a public IP address.

• The ECS instance must be in one of the following regions:

  • China regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Qingdao), China (Hong Kong)

  • Global regions: Malaysia (Kuala Lumpur), Indonesia (Jakarta), or Singapore

  If your ECS instance is not in a supported region, use CNAME access.

Step 1: Activate a pay-as-you-go WAF instance

1. Go to the Web Application Firewall 3.0 (Pay-As-You-Go) purchase page.

2. Set Product Type to Web Application Firewall 3.0 and Billing Method to Pay-as-you-go. Then, configure the following settings.

   Parameter	Description
   Region	The region of the WAF instance. Set it to the same region as your ECS instance. Options: Chinese Mainland Outside Chinese Mainland
   Version	Defaults to Pay-as-you-go 3.0. No configuration is needed.
   Traffic Billing Protection Threshold	Keep the default value. You can change it later.
   Service-Linked Role	WAF needs to access your cloud service resources to provide services such as traffic access control and monitoring analytics. Click Create Service-Linked Role. The system automatically creates the AliyunServiceRoleForWaf role. Do not manually modify this role.

3. Click Buy Now and complete the payment.

Step 2: Onboard the ECS instance to WAF

1. Log on to the Web Application Firewall 3.0 console. In the top menu bar, select a resource group and a region (Chinese Mainland or Outside Chinese Mainland). In the left navigation pane, click Onboarding. Then select the Cloud Native tab. From the cloud product type list, select Elastic Compute Service (ECS).

2. Find your target ECS instance and click Add Now in the Actions column. If the instance is not in the list, click Synchronize Assets in the upper-right corner.

3. Configure your website protocol and port:

   1. In the Select instances & ports to protect section, click Add Port in the Actions column.

   2. In the Add Port dialog box, configure the port and protocol.

      Website type	Protocol	Port	Additional configuration
      HTTP (http://yourdomain.com)	HTTP	80	None
      HTTPS (https://yourdomain.com)	HTTPS	443	Upload SSL certificate or select existing
      Custom port (http://yourdomain.com:8080)	HTTP/HTTPS	Custom port	Match your actual configuration

      Upload SSL certificate or select existing

      1. In the Port field, enter the port number that the website uses.

      2. In the Protocol Type section, select HTTPS.

      3. Keep the default settings for HTTP2, TLS Version, Cipher Suite, and Additional Certificate.

      4. In the Default Certificate section, select a method to upload the certificate.

         • Manual upload: For certificates managed outside of Alibaba Cloud Certificate Management Service (Original SSL Certificate).

         • Select existing certificate: For certificates already issued by or uploaded to Alibaba Cloud Certificate Management Service (Original SSL Certificate).

      Manual upload

      • Certificate Name: Enter a unique name for the certificate. The name cannot be the same as that of an existing certificate.

      • Certificate File: Open the certificate file in a text editor and paste the content of the certificate. The certificate must be in the PEM, CER, or CRT format.

      • Example format: -----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----

        • Format conversion: If your certificate is in a format such as PFX or P7B, use a certificate tool to convert it to the PEM format.

        • Certificate chain: If an intermediate certificate is included, paste the server certificate first, followed by the intermediate certificate.

      • Private Key: Open the private key file in a text editor and paste the content of the private key. The private key must be in the PEM format.

      • Example format: -----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----

      Select existing certificate

      From the certificate drop-down list, select the certificate that you want to upload to WAF.

      Note

      If the WAF console displays the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", the certificate chain is incomplete. Verify that the certificate content is correct and complete, and then upload it again in the Certificate Management Service console. For more information, see Upload, synchronize, and share SSL certificates.

4. Keep the default values for the other settings and click OK.

   Once onboarding is complete, the protection status of the ECS instance will change to Full Protection. WAF automatically creates a protected object using the format instance ID-port-asset type. By default, standard protection rules (such as Web Core Protection) are enabled for this object. You can view and manage it on the Protection Configuration > Protected Objects page.

5. Verify the basic protection: Append an attack string to your website URL (such as http://yourdomain/alert(xss)). If a WAF 405 block page appears, the protection is active.

Step 3: Configure HTTP flood protection

HTTP flood attacks overwhelm servers with high-frequency requests. Configure protection rules:

1. In the left navigation pane, choose Protection Configuration > Core Web Protection.

2. In the HTTP Flood Protection section at the bottom of the page, click Create Template.

3. In the Create Template panel, complete the following configuration.

   Parameter	Description
   Template Name	Enter a descriptive name for the template, such as ECS-HTTP-Flood-Protection.
   Save as Default Template	Keep it off.
   Rule Action	Select the action to take when a request hits the rule. Options: Protection: Suitable for daily protection. This mode blocks only highly abnormal requests and has a low false positive rate. Protection-emergency: Suitable for emergency recovery when high-frequency HTTP flood attacks cause business exceptions. It efficiently blocks HTTP flood attacks but may have a higher false positive rate. Enable this if the Protection mode fails and you observe website response delays, traffic surges, or abnormal CPU or memory usage. Note The Protection-emergency mode is for webpages or H5 pages. It does not apply to API or native app services.
   Apply To	In the Available Objects section, select the protected object that corresponds to the ECS instance. Click the icon to move it to the Selected section on the right.

   

4. Click OK.

Step 4: Monitor attack traffic

After you complete the configuration, go to the Overview page from the left navigation pane. On this page, you can view information such as Protection Overview and Top 10 Attacks for business security analytics.

Next steps:

• Continue to use WAF (recommended): Proceed to Advanced optimization.

• Stop using WAF: Proceed to Release resources to stop billing.

Advanced optimization: Enhance protection and control costs

Based on the configuration provided in this guide, if you wish to continue using WAF, you can further adjust the settings as follows to adapt to your specific business characteristics. This will help you achieve enhanced security posture and lower costs.

• Multi-module collaborative protection: This topic covers how to enable the HTTP Flood Protection module, which you can combine with the following protection modules for collaborative defense.

  • Custom Rules: Use flexible match conditions and rule actions for precise protection against specific attack patterns. For example, you can configure frequency control rules to limit access.

  • Whitelist: Allow requests that meet specified criteria, such as requests from trusted IP addresses.

  • IP Blacklist: Block access from known malicious IP addresses.

  • Geo-blocking: Block requests from specific geographic regions with a single click. For example, if your business serves users only in the Chinese mainland and you detect many attacks from other countries, you can enable this feature.

• Advanced onboarding configuration: WAF provides multiple methods to access resources. Choose a method as needed.

  • Onboard ECS instances in cloud native mode: Quickly add cloud product instances. To configure TLS versions, cipher suites, or multiple certificates, see Enhance security protection (HTTPS). To configure Layer 7 proxy settings in front of WAF, such as for a CDN, or to configure traffic tagging, see Obtain real client information.

  • CNAME access: Add resources using domain names. This method is more widely applicable, has fewer limits, and supports more features.

• Cost optimization suggestions:

  • Traffic billing protection: To prevent high costs from QPS surges during large-scale attacks, set a traffic billing protection threshold to limit the peak QPS that WAF can process.

  • SeCU resource plan: A cost-effective solution for pay-as-you-go WAF. After you activate a pay-as-you-go WAF instance, you can purchase a SeCU resource plan to offset the total fees of the pay-as-you-go WAF.

  • Subscription WAF: If you plan to use WAF for a long term, purchase a subscription WAF instance for a better unit price.

Release resources to stop billing

If you no longer need the WAF instance after completing this quick start, follow these steps to disable WAF and stop billing.

1. In the left navigation pane, go to the Overview page. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of the WAF instance.

2. If the following page is displayed, click Go to Console in the upper-right corner. If this page is not displayed, skip this step.

3. In the section on the right side of the page, click Terminate WAF Service. In the dialog box that appears, select the relevant check boxes and click OK.