Major event protection provides precise and customized defense modes during specific time periods of major events. This topic describes how to enable and use the major event protection mode.
Billing
Product and service prices may change. For the final price, refer to your Alibaba Cloud bill.
Feature | Description |
Billing method | Major event protection uses a subscription billing method, with a minimum purchase period of 30 days. A prepaid bill is generated based on the selected duration at the time of activation. |
Validity period | Major event protection takes effect immediately after purchase, and the validity period is the Subscription Duration selected at the time of activation. After expiration, the major event protection feature will automatically stop protecting. |
Renewal | Major event protection does not currently support direct renewal. If you want to continue using the major event protection feature, you can activate it again after expiration. |
Refund policy | After successfully purchasing major event protection, no form of unsubscription (including five-day no-reason unsubscription, non-five-day no-reason unsubscription) or refund is supported. Before purchasing, please evaluate whether to purchase based on your business needs. |
Prerequisites
WAF 3.0 service is activated. For more information, see Activate a WAF 3.0 subscription instance, Activate a WAF 3.0 pay-as-you-go instance.
Different instance versions correspond to different methods for enabling major event protection.
Version of activated instance
Whether major event protection is enabled by default
Description
Subscription Ultimate
Yes
No need to separately enable major event protection, you can use this feature directly.
Subscription Pro and Enterprise, Pay-as-you-go
No, can be enabled through temporary upgrade
Upgrade the instance version to Ultimate. For more information, see Upgradation.
Enable major event protection through temporary upgrade. For more information, see Enable major event protection.
Subscription Basic Edition
No, and currently does not support enabling major event protection
Upgrade the instance version to Ultimate. For more information, see Upgradation.
After upgrading the instance version to Pro or Enterprise, enable major event protection through temporary upgrade. For more information, see Enable major event protection.
Web business access has been completed through CNAME access, cloud native mode (CLB(HTTP/HTTPS), CLB(TCP), ECS). For more information, see Provisioning overview.
NoteIf you add Application Load Balancer (ALB) instances, Microservices Engine (MSE) instances, or Function Compute-related domain names to WAF as protected objects, the feature is not supported.
Enable major event protection
WAF instance is subscription
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
Click Enable Major Event Protection, in the Enable Major Event Protection panel, turn on Major Event Scenario, and set Revert Time.
Carefully read and select Service Agreement, then click Purchase Now and complete the payment.
After enabling major event protection, you can view the specification details of major event protection in the major event protection package card area on the Major Event Protection page.
WAF instance is pay-as-you-go
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
Click Enable Major Event Protection, in the Enable Major Event Protection panel, select Subscription Duration.
Carefully read and select Service Agreement, then click Purchase Now and complete the payment.
After enabling major event protection, you can view the specification details of major event protection in the major event protection package card area on the Major Event Protection page.
Create a new major event protection template
When configuring major event protection for the first time, you must create a new major event protection template. A maximum of 20 protection templates are supported.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Protection Template tab, click Create Template.
In the Create Major Event Protection Template panel, complete the following configurations.
Configure basic information. After completion, click Next.
Configuration item
Description
Template Name
Set a name for this template.
The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Protection Rules
Configure the protection rules to be applied and their actions.
Major Event Threat Intelligence: Attack and defense malicious IP intelligence, precisely identifying attackers. Enabled by default, with protection action set to Observation.
Major Event Protection Rule Group: Based on intelligent protection models, generates precise protection rule collections for each user. Enabled by default, with protection action set to Observation.
Major Event IP Blacklist: When enabled, WAF will observe or block requests from specific IP addresses or address ranges, supporting up to 50,000 custom IP or IP range blacklist entries.
Shiro Deserialization Vulnerability Prevention: When enabled, WAF will protect against Apache Shiro Java deserialization vulnerabilities based on cookie encryption technology.
Effective Objects
Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups.
If you enabled the Major Event IP Blacklist protection rule when configuring basic information, you need to configure the IP blacklist using the following methods. After completion, click Next.
Configuration item
Operation
Add IP Blacklist
Click Add IP Blacklist to manually add IP blacklist entries.
In the IP Blacklist text box, enter the IP to be blacklisted, press Enter to save.
NoteIP blacklist entries should be in IPv6 or CIDR mask format address ranges, with multiple addresses separated by Enter or commas, with a maximum of 500 configurations.
Set the effective end time. Options:
Permanently Effective.
Custom. Click the time selector to specify the exact effective end time.
In the Remarks text box, enter remarks information and click OK.
After successfully adding the blacklist, you can view the added IP blacklist in the IP Blacklist Configuration panel.
Import IP Blacklist
Click Import IP Blacklist to batch import IP blacklist entries.
Click Upload File to select the IP blacklist file to import.
ImportantSupports uploading CSV format files.
Supports importing IPv4 and IPv6 format addresses and address ranges.
Each rule can import one file, each file supports up to 2000 IP/IP ranges, one IP range occupies 1 count unit, and the file size for a single import cannot exceed 1 MB.
For large batch IP imports, you can import in multiple batches.
Set the effective end time. Options:
Permanently Effective.
Custom. Click the time selector to specify the exact effective end time.
In the Remarks text box, enter remarks information and click OK.
After successfully adding the blacklist, you can view the added IP blacklist in the IP Blacklist Configuration panel.
Clear All IPs
If requests from already added IPs no longer need to be blocked, you can click Clear All IPs to delete all IPs.
Clear Expired IPs
If the effective end time of already added IPs has expired, you can click Clear Expired IPs to clear all expired IPs.
Click Complete.
The newly created rule template is enabled by default. You can perform the following operations in the rule template list:
View the number of Protection Rules included in the protection template and the number of associated Protected Objects/groups.
Enable or Disable the template using the template switch.
Edit, Delete, or Copy the rule template.
If the current protection template has enabled the Major Event IP Blacklist rule, you can click Edit IP Blacklist to add or modify the IP blacklist.
View major event protection data
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
You can view the following information.
In the Protection Data card area, view the Total Requests, Total Blocks within the statistical end time, and protection types and their data displayed in a pie chart.
In the Major Event Protection Package card area, view information such as Major Event Rule Count, Threat Intelligence Rule Count, IP Blacklist Used Specification/Total Specification within the statistical end time.
On the Security Report tab, set the protected object and time range to query to view the corresponding security report data.
Protected object: All Objects is selected by default, indicating that data for all objects protected by WAF will be queried. You can choose to query data for a specific object only.
Time range: Data for Today is displayed by default. You can choose to query data for Yesterday, Today, 7 Days, 30 Days, or any time within the last 30 days.
The security report data is described in the following table.
Data type
Description
Supported operations
Attack Statistical Analysis (Figure ①)
Displays the statistical analysis results of attack requests received by the protected object within the specified time range, including the following:
Attack Type Distribution:
Displays the distribution of attack types through a pie chart.
TOP5 Attack Situation:
On the Attack Object tab and Attack Source IP tab, displays the top 5 attack objects and attack source IPs with the most attack request counts through lists. Sorted by attack count from highest to lowest.
None
Attack Event Records (Figure ②)
Displays information about attack requests that triggered Web core protection rules through a list.
The list includes the following information:
Attack IP: The IP address that initiated the attack request.
Region: The region to which the attack IP belongs.
Attack Time: The start time of the attack.
Attack Type: The type of attack, such as SQL injection, code execution, etc.
Rule Type: The type to which the rule belongs, such as major event protection rule group, major event threat intelligence, etc.
Rule Action: Divided into Block (indicating WAF blocked the request) and Observation (indicating WAF only observed and recorded the request as an attack request without blocking it).
Filter attack events
You can use the following fields (sorted from left to right) above the attack event table to filter attack events:
Attack type: All is selected by default. Other options: SQL Injection, Cross-site Scripting, Code Execution, Local File Inclusion, Remote File Inclusion, Webshell, Others.
Rule type: All is selected by default. Other options: Major Event Protection Rule Group, Major Event Threat Intelligence, Major Event IP Blacklist, Shiro Deserialization Vulnerability Prevention.
Rule action: All is selected by default. Other options: Block, Observation.
View attack details
In the Operation column of the attack event, click View Details for the target event to view attack details and obtain more information about the attack event and protection rule, such as Rule ID, Rule Name, Rule Description, Rule Action, Attack Type, etc.
Real-time Threat Intelligence (Figure ③)
Displays real-time threat intelligence information for attack IPs, including the following:
Attack IP and its attributes.
Region to which the attack IP belongs.
Attack count in the last hour.
Attack type.
Query real-time threat intelligence for attack IP
Enter the IP you want to query in the search box, click
, to query the threat intelligence attributes corresponding to the IP.