After you add your web services to Web Application Firewall (WAF), you can configure protection rules for the HTTP flood protection module to block HTTP flood attacks that target websites and return 405 error pages to clients. This topic describes how to create an HTTP flood protection rule.
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Activate a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
Template types
The HTTP flood protection module provides the following two types of protection templates.
Protection template | Description | Apply to |
Default protection template | The initial default protection template provided by WAF. The protection template is enabled by default. Note The initial default protection template that is enabled by default is available only for subscription WAF instances that run the Pro, Enterprise, or Ultimate edition. | When you create a default protection template, the template applies to protected objects or groups that are not associated with custom protection templates by default. Protected objects that are added later are also automatically added to the default protection template. You can manually adjust the settings. |
Custom protection template | A protection template that is customized based on your business requirements. You must manually create a custom protection template. Custom protection templates are suitable for scenarios in which a single initial default protection template cannot meet your business requirements. | You must specify Apply To. The template applies only to the protected objects and object groups that are associated with the protection template. |
Create an HTTP flood protection template
WAF provides an initial default protection template that is enabled by default. To enable custom protection rules, you must create a protection template and configure protection rules for the template.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the HTTP Flood Protection section, click Create Template.
In the Create Template - HTTP Flood Protection panel, configure the parameters and click OK.
Parameter
Description
Template Name
Specify a name for the template.
The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template
You do not need to specify protected objects for the default protection template. The default protection template applies to all protected objects and object groups that are not associated with custom protection templates. This includes protected objects and object groups that are added later or removed from custom protection templates. You can also manually remove them from the default template. You can set only one default template for a protection module, and you can set a default template only when you create a template.
Action
Select the action that you want WAF to perform on the requests that match the rule. Valid values:
Protection: blocks only suspicious requests. In this mode, the false positive rate is low. We recommend that you apply this mode when no abnormal traffic is detected on the website. This helps avoid false positives.
Protection-emergency: blocks HTTP flood attacks. In this mode, the false positive rate may be high. If HTTP flood attacks fail to be blocked in Protection mode, the website responds slowly, and monitoring metrics such as traffic, CPU, and memory are abnormal, you can select this mode.
NoteThe Protection-emergency mode is suitable for web pages and HTML5 pages. We recommend that you do not select this mode for APIs or native apps. If you select this mode for APIs or native apps, many false positives may occur. We recommend that you create custom rules for APIs or native apps. For more information, see Configure protection rules for the custom rule module.
Apply To
Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups.
A protected object or object group can be associated with only one HTTP flood protection template. If you set a default protection template, all protected objects and object groups that are not associated with custom protection templates are selected by default. If you do not set a default template, no protected objects or object groups are selected by default. You can manually modify the protected objects to which the template applies.
By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:
View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Create Rule in the Actions column to create a protection rule for the template.
Click Edit, Delete, or Copy in the Actions column to manage the template.
Click the
icon to the left of the template name to view the protection rules in the template.
What to do next
On the HTTP Flood Protection tab of the Security Reports page, you can view the protection details of the configured protection rules. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.
References
Protection configuration overview: describes the protection objects, protection modules, and protection process.
How do I disable HTTP flood protection for a domain name?: describes the following methods that you can use to disable HTTP flood protection for a domain name: configuring whitelist rules and configuring HTTP flood protection rules.
CreateDefenseTemplate: You can call this operation to create a protection template.
CreateDefenseRule: You can call this operation to create an HTTP flood protection rule by setting the DefenseScene parameter to cc and configuring the rule content.