Asset center
The asset center helps identify your domain names on and off Alibaba Cloud and evaluate the risk levels of your domain names based on current attack trends. This way, you can gain a comprehensive understanding of the overall security status of your business. You can enable protection for high-risk domain names to enhance the overall security of your business system.
|
Category |
Feature |
Description |
References |
|
Asset center |
Asset center |
The asset center of Web Application Firewall (WAF) helps identify your domain names on and off Alibaba Cloud and evaluate the risk levels of your domain names based on current attack trends. This way, you can gain a comprehensive understanding of the overall security status of your business. |
Asset center |
Access modes
To use WAF to protect your web services, you must add the web services to WAF. You can add your web services to WAF 3.0 in cloud native mode or CNAME record mode. You can select a mode based on the deployment model of your web services.
|
Category |
Feature |
Description |
References |
|
Hybrid cloud mode |
Reverse proxy |
If you want to add a website to WAF in reverse proxy mode, you must add the domain name or the IP address of the website to WAF and modify the Domain Name System (DNS) record to point the domain name or IP address of the website to the address of the hybrid cloud cluster. A hybrid cloud cluster inspects all traffic to websites that are added to WAF. |
Hybrid cloud mode |
|
SDK integration mode |
In SDK integration mode, SDKs are deployed on a unified access gateway to allow WAF to detect service traffic by using traffic mirroring. This way, the hybrid cloud cluster does not forward traffic and traffic forwarding is separated from traffic detection. |
Hybrid cloud mode | |
|
Cloud native mode |
WAF protection for an Application Load Balancer (ALB) instance |
If an ALB instance is enabled for your web services, you can enable WAF protection for the ALB instance to filter web service traffic by using WAF. |
Enable WAF protection for an ALB instance |
|
WAF protection for a Classic Load Balancer (CLB) instance |
If you configured a CLB instance that has HTTP, HTTPS, or Transmission Control Protocol (TCP) listeners on specific ports, you can add the ports to WAF to filter web service traffic by using WAF. |
||
|
WAF protection for an Elastic Compute Service (ECS) instance |
If you created an ECS instance, you can add the ports of the instance to WAF to filter web service traffic by using WAF. |
Add an ECS instance to WAF | |
|
WAF protection for a Microservices Engine (MSE) instance |
If an MSE instance is enabled for your web services, you can enable WAF protection for the MSE instance to filter web service traffic by using WAF. |
Enable WAF protection for an MSE instance | |
|
WAF protection for custom domain names bound to web applications in Function Compute |
If you bound a custom domain name to a web application in Function Compute, you can enable WAF protection for the custom domain name to filter web service traffic by using WAF. |
Enable WAF protection for a custom domain name bound to a web application in Function Compute | |
|
WAF protection for a Network Load Balancer (NLB) instance |
If you created an NLB instance and added a TCP listener to the instance, you can add the port specified for the listener to WAF to redirect the web service traffic of the instance to WAF. |
- |
|
|
CNAME record mode |
CNAME record mode |
To use WAF to protect a website, you can add the domain name of the website to WAF in CNAME record mode. |
CNAME record mode |
Protection configuration
After you add web services to WAF, you can configure protection rules for the web services. The protection configuration process varies based on the method that you use to add the web services to WAF.
|
Category |
Feature |
Description |
References |
|
Protection object |
Protection object |
A protected object is the smallest unit for which WAF 3.0 protection rules can be configured. A protected object can be a cloud service instance or a domain name that is added to WAF 3.0. You can associate a protected object with a protection template to use the template for object protection. |
Configure protected objects and protected object groups |
|
Protected object group |
A protected object group is a group of protected objects. You can configure WAF 3.0 protection rules for a protected object group. The protection rules that you configure for the protected object group take effect for all protected objects in the group. |
Configure protected objects and protected object groups | |
|
Basic web protection |
Basic rule engine protection |
This detection module identifies known attack modes based on predefined rules and defends against common web application attacks. |
Configure protection rules and rule groups for the basic protection rule module |
|
Semantic engine protection |
This detection module can protect your web services in a highly intelligent manner by analyzing the content of requests to better understand semantics and syntax. This helps identify unknown attacks and defend against SQL injection attacks. |
Configure protection rules and rule groups for the basic protection rule module | |
|
HTTP protocol compliance |
Different programming languages have different HTTP parsing methods and varying degrees of strictness when handling data formats, especially during file uploads. In most cases, WAF inspects incoming HTTP requests to prevent malicious attempts. However, if attackers discover parsing vulnerabilities specific to a language or framework, they can design special data formats to evade WAF detection. HTTP protocol compliance ensures that various data formats can be transmitted between a client and a server. |
Configure protection rules and rule groups for the basic protection rule module | |
|
Intelligent O&M |
WAF performs intelligent learning based on historical service traffic and identifies basic protection rules that may cause false positives. Then, WAF automatically adds the URLs that are frequently accidentally blocked to a whitelist to help prevent normal requests from being blocked. |
Configure protection rules and rule groups for the basic protection rule module | |
|
Custom rule groups |
WAF provides three default rule groups based on the strictness level of protection: Medium rule group: By default, this rule group is selected. Loose rule group: If you want to reduce false positives, we recommend that you select this rule group. Strict rule group: If you want WAF to strictly block attacks, we recommend that you select this rule group. You can also configure custom rule groups based on your business requirements. |
Configure protection rules and rule groups for the basic protection rule module | |
|
IP address blacklist |
IP address blacklist |
After you add your web services to WAF, you can configure IP address blacklist rules to block incoming requests from specific IP addresses or CIDR blocks. |
Configure protection rules for the IP address blacklist module to block specific requests |
|
Region blacklist |
Region blacklist |
If malicious requests are frequently initiated from specific regions, you can configure region blacklist rules to identify the geographic origins of requests and block incoming requests from the regions. |
Configure protection rules for the region blacklist module to block requests from specific regions |
|
Custom response |
Custom response |
After you add your web services to WAF, you can configure custom response rules to specify the response code, response header, and response body that are returned to clients when requests are blocked by WAF. |
Configure protection rules for the custom response module to configure custom block pages |
|
Custom rule |
Access control |
You can use common request header fields, such as the client IP address and request URL, to specify match conditions. If requests meet the specified match conditions, WAF performs a specific action on the requests. For example, you can configure a custom rule to block requests that are sent to a specific Uniform Resource Identifier (URI). You can also configure a custom rule to allow WAF to verify requests that contain a specific User-Agent string. |
Configure protection rules for the custom rule module |
|
Rate limiting |
You can specify request rate match conditions. If the request rate of a statistical object exceeds the upper limit, WAF performs a specific action on the requests that are sent from the statistical object. For example, if an IP address or a session frequently meets the match conditions in a short period of time, you can enable rate limiting to block requests that are sent from the IP address or session during a specific period of time. |
Configure protection rules for the custom rule module | |
|
Slider CAPTCHA |
WAF returns pages that are used for slider CAPTCHA verification to the client. If the client passes strict slider CAPTCHA verification, WAF allows the request that is sent from the client. Otherwise, WAF blocks the request. A client must pass strict slider CAPTCHA verification each time the client sends a request. |
Configure protection rules for the custom rule module | |
|
Web tamper proofing |
Web tamper proofing |
You can configure website tamper-proofing rules to lock web pages that you want to protect, such as pages that contain sensitive information. When a locked page receives a request, a cached version of the page is returned to prevent web page tampering. |
Configure protection rules for the website tamper-proofing module to prevent web page tampering |
|
Data leakage prevention |
Data leakage prevention |
You can configure data leakage prevention rules to filter abnormal content returned from the origin and mask sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages. |
Configure protection rules for the data leakage prevention module to prevent data leaks |
|
HTTP flood protection |
HTTP flood protection |
You can configure HTTP flood protection rules to block HTTP flood attacks and return a 405 error page. |
Configure protection rules for the HTTP flood protection module to defend against HTTP flood attacks |
|
Scan protection |
Scan protection |
After you add your web services to WAF, you can configure scan protection rules to detect scanning behaviors and the distinctive features of scanners. This way, you can prevent attackers or automated scanners from executing large-scale scans on your website. This reduces the vulnerability of your web services to intrusions and decreases the volume of spam traffic produced by large-scale scans. |
Configure protection rules for the scan protection module |
Scenario-specific protection
|
Category |
Feature |
Description |
References |
|
API security |
API asset discovery |
The feature displays information about all detected open APIs, such as the API name, domain name, request method, number of calls in the most recent 30 days, sensitive data level, sensitive data type, service object, and business purpose. |
API security |
|
API risk detection |
The feature displays the details of detected at-risk APIs, such as the risk ID, risk type, source type, API name, domain name, business purpose, status, and number of associated security events. |
API security | |
|
API security events |
The feature displays the details of detected API security events, such as the event ID, event type, source type, API name, domain name, business purpose, attack source, status, and associated risks. |
API security | |
|
API compliance check and tracing and auditing |
If your business needs to provide data in regions outside the Chinese mainland, you must submit an outbound data transfer security assessment to the provincial-level cyberspace administration of the region where you are located and the national cyberspace administration. You can use the compliance check and tracing and auditing features of the API security module to check and trace the data that you want to transfer to regions outside the Chinese mainland. The features are supported only in the Chinese mainland. |
API security | |
|
Bot management |
Bot management for app protection |
You can configure anti-crawler rules for native iOS or Android apps to protect your services against crawlers. HTML5 apps are not native iOS or Android apps. |
Enable and configure the bot management module |
|
Bot management for website protection |
If you want to use WAF to mitigate the security threats that are caused by bot traffic on web pages, HTML5 pages, or HTML5 apps, we recommend that you create an anti-crawler rule template for websites. |
Enable and configure the bot management module | |
|
Risk identification |
WAF has a built-in mobile phone number reputation library to help prevent threats, such as spam user registration and marketing fraud. WAF compares mobile phone numbers or the MD5 hash values of phone numbers with the values in the reputation library. If specific requests match suspicious behavior tags, WAF implements slider CAPTCHA verification, blocks the requests, records the requests, or adds tags to the requests. |
Fraud detection | |
|
Major event protection |
Major event protection |
The major event protection feature provides custom and precise protection for major events in a specific time range. |
Major event protection |
Security operations
|
Category |
Feature |
Description |
References |
|
Security reports |
Security reports |
The security reports of WAF display the protection details of different protection modules, such as the basic protection rule, IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports. |
Security reports |
|
Simple Log Service |
Simple Log Service |
WAF is integrated with Simple Log Service to provide the Simple Log Service for WAF feature. The feature collects and stores access logs and protection logs of protected objects in WAF. The protected objects include domain names and cloud service instances. You can use the feature to query and analyze log data, configure charts and alert rules, and deliver log data to downstream services. The feature allows you to focus on log analysis. |
Overview of log management |
|
Alert settings |
Alert settings |
After you add your web services to WAF, you can configure alerts to allow WAF to notify you of attack events or unusual traffic on your website. This way, you can thoroughly monitor the security status of your business. |
Configure WAF alerting |
|
Blocked request query |
Blocked request query |
After you add your web services to WAF, you can use the request ID on the Blocked Request Query page to query details of blocked traffic. If the traffic or the request whose ID is on the page is determined to be legitimate, you can add it to the whitelist or optimize the relevant rules. |
Query blocked requests |
|
Multi-account management |
Multi-account Management |
WAF can be integrated with the Resource Directory service of Resource Management as a trusted service. Multiple Alibaba Cloud accounts can be invited to join a resource directory as members. You can specify a member as the delegated administrator account. The delegated administrator account can access the cloud resources of all members in the resource directory. This way, you can manage resources in a centralized manner. |
Use the multi-account management feature |
System management
|
Category |
Feature |
Description |
References |
|
Bill management |
Bill management |
After you purchase a subscription or pay-as-you-go WAF 3.0 instance, you can view the resource usage and fees on the Bills page in the WAF console and view bills in the Expenses and Costs console. |
View bills |
|
Hybrid cloud management |
Cluster management |
You can deploy and manage hybrid cloud clusters and protection nodes on the Hybrid Cloud Cluster Management page. |
Hybrid cloud mode |
Verification code
CAPTCHA 2.0 is a new generation of verification code product launched by Alibaba Cloud. CAPTCHA 2.0 is widely used in interactive modules, such as account registration, SMS sending, ticket reservations, information inquiries, free downloads, forum posting, and online voting. CAPTCHA 2.0 uses straightforward, secure, and versatile interactive logic to provide a verification service that effectively differentiates between automated machine scripts and human users. This helps mitigate and prevent the misuse of network resources by computer programs pretending to be human users to enhance the defense capabilities of websites against malicious software access while preserving an authentic user experience.
|
Category |
Feature |
Description |
References |
|
CAPTCHA |
CAPTCHA |
The feature supports multiple verification methods, including slider, invisible, puzzle, and spatial reasoning challenges. These methods assess user interactions and semantic logic to distinguish between human and automated machine actions to help prevent the misuse of network resources by computer-generated scripts imitating human behavior. |
What is CAPTCHA 2.0? |
|
Custom policies |
Custom policies |
You can configure custom policies for specific verification scenarios. For example, you can specify the rate limiting threshold, the policy mode, and whether to block simulated devices. |
Configure a custom policy |
|
Automatic disaster recovery architecture |
Automatic disaster recovery architecture |
If the server becomes unavailable, the monitoring system automatically detects the issue and bypasses the CAPTCHA verification process to ensure business continuity and maintain a 99.99% availability rate. |
What is CAPTCHA 2.0? |
Self-service upgrade to WAF3.0
A WAF 2.0 instance can be upgraded to a WAF 3.0 instance in the WAF 2.0 console.
|
Category |
Feature |
Description |
References |
|
Self-service upgrade to WAF3.0 |
Self-service upgrade to WAF3.0 |
A WAF 2.0 instance can be upgraded to a WAF 3.0 instance in the WAF 2.0 console. |
Upgrade a WAF 2.0 instance to WAF 3.0 |