All Products
Search

This Product

    Web Application Firewall:Major event protection

    Document Center

    Web Application Firewall:Major event protection

    Last Updated:Sep 13, 2023

    The major event protection feature provides custom and precise protection for major events in a specific time range. This topic describes how to enable and use the major event protection feature.

    Billing overview

    Item

    Description

    Billing method

    Before you can use the major event protection feature, you must purchase the feature. The fees vary based on the validity period of the feature. The validity period must be greater than or equal to 30 days.

    Validity period

    The major event protection feature takes effect immediately after you enable the feature. The Subscription Period parameter specifies the validity period of the major event protection feature.

    After the validity period ends, the major event protection feature stops protecting your services.

    Renewal policy

    The major event protection feature does not support automatic renewal. If you want to continue using the major event protection feature, re-enable the feature after the validity period ends.

    Refund policy

    After you enable the major event protection feature, you cannot disable the feature during the validity period or apply for a refund. We recommend that you enable the feature based on your business requirements.

    Prerequisites

    • A Web Application Firewall (WAF) 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

      The operations that you can perform to enable the major event protection feature vary based on the edition of the WAF instance.

      Edition

      Whether major event protection is enabled by default

      Description

      Subscription Ultimate Edition

      Yes

      By default, the major event protection feature is enabled.

      Subscription Pro Edition, Subscription Enterprise Edition, and Pay-as-you-go Edition

      No. You can enable the major event protection feature for a specific period of time.

      Subscription Basic Edition

      No. You cannot enable the major event protection feature.

    • Web services are added to WAF in CNAME record mode or cloud native mode. For more information, see Website configuration overview.

      Note

      You cannot enable this feature for the following resources that are added to WAF in cloud native mode: Application Load Balancer (ALB) instances, Microservices Engine (MSE) instances, or custom domain names in Function Compute.

    Enable the major event protection feature

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > Protection for Major Events.

    3. Click Enable Protection for Major Events. On the page that appears, enable the major event protection feature and configure the Subscription Period parameter.

    4. Read and select Terms of Service, click Buy Now, and then complete the payment.

      After you enable the major event protection feature, you can view the number of protection rules for major events, number of threat intelligence rules, number of IP addresses in the blacklist, and total number of IP addresses in the Protection Plan for Major Events section of the Protection for Major Events page.

    Create a major event protection rule template

    Before you use the major event protection feature, you must create a major event protection rule template. You can create up to 20 major event protection rule templates.

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > Protection for Major Events.

    3. On the Protection Templates tab, click Create Template.

    4. In the Create Protection Template for Major Events panel, configure the parameters. The following table describes the parameters.

      1. Configure the basic information and click Next.

        Parameter

        Description

        Template Name

        Enter a name for the template.

        The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

        Protection Features

        Configure protection rules for the protected objects and configure protection actions.

        • Threat Intelligence for Protection for Major Events: This feature can accurately identify attackers based on the Alibaba Cloud libraries of malicious IP addresses. By default, the feature is enabled and the protection action is set to Monitor.

        • Protection Rule Group for Major Events: This feature provides precise protection rules for each user based on the intelligent protection model. By default, the feature is enabled and the protection action is set to Monitor.

        • IP Address Blacklist for Protection for Major Events: This feature supports 50,000 custom IP addresses or CIDR blocks in the blacklist.

        • Shiro Deserialization Vulnerability Prevention: This feature defends against Apache Shiro Java deserialization vulnerabilities by using cookie encryption technologies.

        Apply To

        Select the protected objects and protected object groups to which you want to apply the template.

      2. If you enable the IP address blacklist for major event protection feature in the Basic Information step, you must configure the parameters in the Configure IP Address Blacklist step. Then, click Next. The following table describes the parameters.

        Parameter

        Operation

        Add IP Address Blacklist

        To add IP addresses to the blacklist, click Add IP Address Blacklist.

        1. In the IP Address Blacklist field, enter the IP addresses that you want to add to the blacklist and press the Enter key.

          Note

          CIDR blocks and IPv6 addresses are supported. You can specify up to 500 CIDR blocks or IPv6 addresses. Separate the CIDR blocks or IPv6 addresses with line feeds or commas (,).

        2. Configure the End At parameter to specify the date and time when you want the configuration to become invalid. Valid values:

          • Permanently Effective.

          • Custom. Click the date and time picker to specify the date and time.

        3. In the Remarks field, enter a description and click OK.

          After you add IP addresses to the blacklist, you can view the IP addresses that you added in the Configure IP Address Blacklist step.

        Import IP Address Blacklist

        Click Import IP Address Blacklist to import a blacklist that contains multiple IP addresses.

        1. Click Upload File and select the IP address blacklist file that you want to import.

          Important

          • CSV files are supported.

          • IPv4 addresses, IPv6 addresses, and CIDR blocks are supported.

          • You can import only one file each time. Each file can contain up to 2,000 IP addresses or CIDR blocks. The size of the file cannot exceed 1 MB.

          • You can import a large number of IP addresses in batches.

        2. Configure the End At parameter to specify the date and time when you want the configuration to become invalid. Valid values:

          • Permanently Effective.

          • Custom. Click the date and time picker to specify the date and time.

        3. In the Remarks field, enter a description and click OK.

          After you add IP addresses to the blacklist, you can view the IP addresses that you added in the Configure IP Address Blacklist step.

        Delete All IP Addresses

        If you no longer need to block the IP addresses that you added to the blacklist, you can click Delete All IP Addresses to remove all IP addresses from the blacklist.

        Delete Expired IP Addresses

        If the validity period of the IP addresses ends, you can click Delete Expired IP Addresses to remove all expired IP addresses from the blacklist.

    5. Click Complete.

      By default, a new major event protection rule template is enabled. You can perform the following operations in the major event protection rule template list:

      • View the number of protection rules and the number of protected objects and protected object groups that are associated with a template.

      • Turn on or turn off the switch in the Status column to enable or disable a template.

      • In the Actions column, click Edit, Delete, or Copy to modify, delete, or copy a template.

      • If you enabled the IP address blacklist for major event protection feature, click Edit IP Address Blacklist to modify the IP address blacklist.

    View the statistics on major event protection

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > Protection for Major Events.

    3. On the Security Reports tab, you can view the following information:

      重保场景防护

      • In the Statistics section, you can view the total number of requests and the number of blocked requests. You can also view a pie chart that displays the protection rules and related data in a specific time range.

      • In the Protection Plan for Major Events section, you can view the number of rules for major event protection, number of threat intelligence rules, number of IP addresses in the blacklist, and maximum number of IP addresses that can be added to the blacklist in a specific time range.

      • On the Security Reports tab, you can specify the protected object and the time range in which you want to query the security report data.

        • Protected object: By default, All is selected and the security report data of all protected objects in WAF is obtained. You can select a protected object.

        • Time range: By default, Today is selected and the security report data of the current day is obtained. You can select Yesterday, Today, 7 Days, 30 Days, or a point in time in the previous 30 days to view data in the corresponding time range.

        The following table describes the security report data.

        Parameter

        Description

        Supported operation

        Attack statistics (labeled 1 in the preceding figure)

        Displays the statistical analysis results of attacks that are received by protected objects in a specific time range.

        • Distribution of Attack Types:

          Displays the breakdown of attacks by type in a pie chart.

        • Top 5 Attacks

          Displays the top 5 protected objects that are most frequently attacked on the Attacked Object tab and the top 5 IP addresses from which attacks are most frequently launched on the Attacker IP Address tab. The protected objects or IP addresses are arranged based on the number of attacks in descending order.

        None

        Attack event records (labeled 2 in the preceding figure)

        Displays information about the attacks that match the basic protection rules in a list.

        The list includes the following information:

        • Attacker IP Address: the IP address from which the attack was launched.

        • Area: the area of the IP address from which the attack was launched.

        • Attack Time: the start time of the attack.

        • Attack Type: the type of attack, such as SQL injection and code execution.

        • Rule Type: the type of the rule, such as rule groups for major event protection and threat intelligence for major event protection.

        • Action: the action that WAF performs on the request. The action can be Block or Monitor. The Block action blocks the request. The Monitor action records the request but does not block the request.

        • Filter attack events

          In the upper part of the attack event list, you can use the following fields to filter attack events:

          • Attack type: Valid values: All, SQL Injection, XSS Attack, Code Execution, Local File Inclusion, Remote File Inclusion, Webshell, and Others. Default value: All.

          • Rule type: Valid values: All, Protection Rule Group for Major Events, Threat Intelligence for Protection for Major Events, IP Address Blacklist for Protection for Major Events, and Shiro Deserialization Vulnerability Prevention. Default value: All.

          • Rule action: Valid values: All, Block and Monitor. Default value: All.

        • View attack event details

          Find the attack event whose details you want to view and click View Details in the Actions column. Then, you can view the details of the attack event, such as the attack type and the ID, name, description, and action of the protection rule that is matched by the attack.

        Real-time threat intelligence (labeled 3 in the preceding figure)

        Displays the following threat intelligence of an attacker IP address:

        • The IP address of the attacker and the corresponding attributes.

        • The area of the IP address of the attacker.

        • The number of attacks that occurred in the previous hour.

        • The type of the attack.

        Query the real-time threat intelligence of an attacker IP address:

        Enter the IP address that you want to query and click image to query the real-time threat intelligence of the IP address.