An HTTP flood attack is a type of Distributed Denial of Service (DDoS) attack that exhausts a server's computing resources or database connections by sending a high volume of concurrent requests. This causes slow business responses and page load times, marked by surges in queries per second (QPS) and increased bandwidth consumption. Use Web Application Firewall (WAF) to protect your public-facing Elastic Compute Service (ECS) instances from these attacks. This effectively mitigates HTTP flood attacks and ensures business stability.
Usage notes
The ECS instance hosts a web service that is accessible over a public IP address.
The ECS instance is in one of the following regions: China (Chengdu), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Qingdao), China (Hong Kong), Malaysia (Kuala Lumpur), Indonesia (Jakarta), or Singapore. If your instance is not in one of these regions, use CNAME Record mode.
Step 1: Activate a pay-as-you-go WAF instance
Go to the Web Application Firewall 3.0 (Pay-as-you-go) purchase page.
Set Product Type to Web Application Firewall 3.0 and Billing Method to Pay-as-you-go. Then, configure the following settings.
Parameter
Description
Region
This determines the location of the WAF protection nodes. If the ECS instance hosting your website is in the Chinese mainland, select Chinese Mainland. Otherwise, select Outside Chinese Mainland.
Version
The default is Pay-as-you-go 3.0. No configuration is needed.
Traffic Billing Protection Threshold
Keep the default value. You can change it later.
Service-linked Role
WAF needs to access your cloud resources to provide services such as traffic access control and monitoring analytics. Click Create Service-linked Role. The system automatically creates the AliyunServiceRoleForWaf role. Do not manually modify this role.
Click Buy Now and complete the purchase.
Step 2: Onboard the ECS instance
Log on to the Web Application Firewall 3.0 console. In the top menu bar, select a resource group and a region (Chinese Mainland or Outside Chinese Mainland). In the navigation pane on the left, click Onboarding. Click the Cloud Native tab. From the cloud product type list on the left, select Elastic Compute Service (ECS).
In the list on the right, find the target ECS instance and click Add Now in the Actions column. If you cannot find the instance, click Synchronize Assets in the upper-right corner of the page. If the instance is still not found, it does not meet the requirements specified in the Usage notes section.
In the Select instances & ports to protect section, in the Actions column, click Add Port.
In the Add Port dialog box, configure the port and protocol type for your website.
Standard HTTP website (
http://yourdomain)Set the Protocol Type to HTTP and the Port to 80.
Standard HTTPS website (
https://yourdomain)Set the Protocol Type to HTTPS and the Port to 443.
Non-standard port website (
http://domain:portorhttps://domain:port)Enter the actual port number. for
https://yourdomain:8443, set Port to 8443.
HTTP website
In the Port field, enter your website's port.
For the Protocol Type, select HTTP.
HTTPS website
In the Port field, enter the port for your website.
Set Protocol Type to HTTPS.
You can keep the default settings for HTTP2, TLS Version, Cipher Suite, and Additional Certificate.
In the Default Certificate section, select how to upload the certificate:
Upload: Use this option if the certificate is not uploaded to Alibaba Cloud Certificate Management Service (Original SSL Certificate).
Select Existing Certificate: Use this option to use a certificate that is issued or uploaded in Alibaba Cloud Certificate Management Service (Original SSL Certificate).
Upload
Certificate Name: Enter a name for the certificate. The name must be unique.
Certificate File: Open your certificate file (in PEM, CER, or CRT format) with a text editor and paste the content.
Example format:
-----BEGIN CERTIFICATE-----......-----END CERTIFICATE-----Format conversion: If your certificate is in a format such as PFX or P7B, use a certificate tool to convert it to the PEM format.
Certificate chain: If an intermediate certificate is included, paste the server certificate followed by the intermediate certificate.
Private Key: Open your private key file (in PEM format) with a text editor and paste the content.
Example format:
-----BEGIN RSA PRIVATE KEY-----......-----END RSA PRIVATE KEY-----
Select Existing Certificate
Select the desired certificate from the drop-down list.
NoteIf the WAF console displays the message "Failed to verify the integrity of the certificate chain. If you use this certificate, service access may be affected.", the certificate chain is incomplete. Verify that the certificate content is correct and complete, and then upload it again in the Certificate Management Service console. For more information, see Upload, synchronize, and share SSL certificates.
Keep the other settings as default and click OK.
(Optional) View the protected object: After the ECS instance is onboarded, WAF automatically creates a protected object named
instance ID-port-asset type. By default, WAF enables protection rules for this object, such as web core protection rules. You can view the protected object on the page.
Verify basic protection: Open your website in a browser and append a web attack test string to the URL (for example,
http://yourdomain/alert(xss)). If the browser returns a WAF 405 error page, it means the attack was blocked and WAF protection is active.
Step 3: Configure HTTP flood protection rules
In the left navigation pane, choose .
At the bottom of the page, in the HTTP Flood Protection section, click Create Template.
In the Create Template panel, configure the following parameters.
Parameter
Description
Template Name
Enter a descriptive name for the template.
Save as Default Template
Keep this switch off.
Rule Action
Select the action for requests that match the rule. Options include:
Protection: Suitable for routine protection. This mode blocks only highly anomalous requests and has a low false positive rate.
Protection - emergency: Suitable for emergency recovery when high-frequency HTTP flood attacks cause business exceptions. It efficiently blocks HTTP flood attacks but may have a higher false positive rate. Enable this mode if the Protection mode cannot effectively stop attacks and you observe website response delays, traffic surges, or abnormal CPU or memory usage.
NoteThe Protection - emergency mode is suitable for webpages or H5 pages, but not for API or native app services.
Apply To
In the Available Objects area, select the protected object that corresponds to the ECS instance. Click the
icon to move it to the Selected area on the right.
Click OK.
Step 4: View attack protection data
After completing the configuration, go to the Overview page in the navigation pane on the left to view information such as Protection Overview and Top 10 Attacks for business security analytics.
You have completed this quick start. Choose one of the following options based on your needs:
Continue to use WAF (Recommended): Proceed to Next steps: Enhance protection and optimize costs.
Stop using WAF: Proceed to Clean up resources to stop billing.
Next steps: Enhance protection and optimize costs
To enhance security and optimize costs, you can further refine your WAF configuration.
Use multiple protection modules: Combine it with other modules to build layered defenses.
Custom rules: Uses flexible matching conditions and rule actions to implement precise protection against specific attack patterns. For example, you can configure rate-limiting rules.
Whitelist: Allows requests that meet specified criteria, such as those from trusted IP addresses.
IP blacklist: Blocks access from known malicious IP addresses.
Geo-blocking: Blocks requests from specific geographic regions. For example, if your business serves only users in China and you detect a large number of attacks from other countries, you can enable this feature.
Configure advanced onboarding options: WAF provides ways to onboard resources to suit different business needs.
Onboard an ECS instance in cloud native mode: Quickly enable WAF protection for cloud service instances. To configure TLS versions, cipher suites, or multiple certificates, see Enhance security protection (HTTPS). To configure a Layer 7 proxy such as CDN in front of WAF or configure traffic tagging, see Obtain real client information.
CNAME Record mode: Provides broader applicability, fewer limitations, and more supported features.
Optimize costs:
Traffic billing protection: To prevent high costs from QPS surges during large-scale attacks, you can set a traffic billing protection threshold to cap the peak QPS that WAF processes.
SeCU resource plan: SeCU resource plans are a cost-effective solution for pay-as-you-go WAF. To offset your total WAF fees, you can purchase a SeCU resource plan after activating a pay-as-you-go WAF instance.
Subscription WAF: If you plan to use WAF long-term, consider purchasing a subscription WAF instance for a lower unit price.
Clean up resources to stop billing
If you no longer need the WAF instance you activated in this guide, follow these steps to terminate it and stop billing.
Billing: Pay-as-you-go WAF instances incur fees for the instance itself and for processed requests. Billing starts after you activate WAF, even if you have not onboarded any resources. If you no longer need WAF, terminate the instance promptly to avoid further charges.
CNAME Record mode: You can ignore this notice if you only used the Cloud Native mode as described in this guide. If you have configured domains using the CNAME Record mode, ensure that you have updated the DNS records for your domains to point back to the origin server before you terminate the WAF instance.
In the navigation pane on the left, go to the Overview page. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
If the following page is displayed, click Go to Console in the upper-right corner. Otherwise, skip this step.
In the area on the right, click Terminate WAF Service. In the dialog box that appears, select the relevant check boxes and click OK.
