All Products
Search

This Product

    Object Storage Service:How to prevent malicious traffic generation on OSS

    Document Center

    Object Storage Service:How to prevent malicious traffic generation on OSS

    Last Updated:Feb 27, 2026

    Malicious access to your Object Storage Service (OSS) buckets can cause sudden spikes in bandwidth or traffic. This results in unnecessary outbound traffic fees. In severe cases, your buckets may be moved to a sandbox, making the service unavailable. This topic describes how to prevent malicious traffic generation on OSS.

    You can use one of the following two methods to prevent malicious traffic generation on OSS.

    Method 1: Set the bucket ACL to private

    If a bucket has public-read permission and its URL is exposed on the internet, anyone can access its OSS resources. Private permission is more secure. Set the bucket's Access Control List (ACL) to private. For more information, see Bucket ACL.

    Method 2: Use WAF for protection

    Note

    To configure mitigation policies based on custom rules, ensure that your WAF edition supports the target protection type. The Frequency Control protection type is supported only by the subscription Enterprise and Ultimate editions and the pay-as-you-go edition.

    1. Purchase a Web Application Firewall (WAF) 3.0 instance. For more information, see Purchase a WAF 3.0 instance.

    2. Add your domain to WAF 3.0 using a CNAME record.

      1. Bind a custom domain name to the target bucket in the OSS console.

        When you bind the custom domain name, do not resolve the CNAME record to the bucket domain name. For more information, see Access OSS using a custom domain name.

      2. Complete the following steps in the WAF console.

        1. Add a domain name.

          Set the custom domain name as the domain to protect and the bucket domain name as the origin server domain name. For more information, see Add a domain name.

        2. Copy the CNAME address for the domain.

          1. In the navigation pane on the left, choose Provisioning > CNAME Access.

          2. In the Domain/CNAME list, find the domain that you added, and then copy its WAF CNAME address.

          waf.jpeg

      3. In the Alibaba Cloud DNS console, add a CNAME record for the custom domain name that points to the CNAME address provided by WAF.

        For more information, see Change a DNS record.

        image.png

    3. Configure mitigation policies.

      After you add the domain name to WAF, WAF automatically adds it as a protected object and enables basic protection rules. By default, the medium rule group is enabled and the mode is set to Block. For more information, see Configure mitigation policies.