All Products
Search
Document Center

Web Application Firewall:Major event protection

Last Updated:Jun 24, 2024

The major event protection feature provides custom and precise protection for major events in a specific time range. This topic describes how to enable and use the major event protection feature.

Billing overview

Important

The prices for products and services may change. Refer to your Alibaba Cloud bill for the final amounts.

Item

Description

Billing method

Before you can use the major event protection feature, you must purchase the feature. The fees vary based on the validity period of the feature. The validity period must be greater than or equal to 30 days.

Validity period

The major event protection feature takes effect immediately after you purchase the feature. The Subscription Period parameter specifies the validity period of the major event protection feature.

After the validity period ends, the major event protection feature stops protecting your services.

Renewal policy

The major event protection feature does not support automatic renewal. If you want to continue using the major event protection feature, re-enable the feature after the validity period ends.

Refund policy

After you enable the major event protection feature, you cannot disable the feature during the validity period or apply for a refund. We recommend that you enable the feature based on your business requirements.

Prerequisites

  • A Web Application Firewall (WAF) 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

    The operations that you can perform to enable the major event protection feature vary based on the edition of the WAF instance.

    Edition

    Whether major event protection is enabled by default

    Description

    Subscription Ultimate Edition

    Yes

    By default, the major event protection feature is enabled.

    Subscription Pro Edition, Subscription Enterprise Edition, and Pay-as-you-go Edition

    No. You can enable the major event protection feature by temporarily upgrading the edition of the WAF instance.

    Subscription Basic Edition

    No. You cannot enable the major event protection feature.

  • Web services are added to WAF in CNAME record mode or cloud native mode. If web services are added to WAF in cloud native mode, the web services must be deployed on Layer 4 Classic Load Balancer (CLB), Layer 7 CLB, or Elastic Compute Service (ECS) instances. For more information, see Website configuration overview.

    Note

    You cannot enable this feature for the following resources that are added to WAF in cloud native mode: Application Load Balancer (ALB) instances, Microservices Engine (MSE) instances, or custom domain names bound to web applications in Function Compute.

Enable the major event protection feature

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > Protection for Major Events.

  3. Click Enable Protection for Major Events. On the page that appears, enable the major event protection feature and configure the Subscription Period parameter.

  4. Read and select Terms of Service, click Buy Now, and then complete the payment.

    After you enable the major event protection feature, you can view the number of protection rules for major events, number of threat intelligence rules, number of IP addresses in the blacklist, and total number of IP addresses in the Protection Plan for Major Events section of the Protection for Major Events page.

Create a major event protection rule template

Before you use the major event protection feature, you must create a major event protection rule template. You can create up to 20 major event protection rule templates.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > Protection for Major Events.

  3. On the Protection Templates tab, click Create Template.

  4. In the Create Protection Template for Major Events panel, configure the parameters. The following table describes the parameters.

    1. Configure the basic information and click Next.

      Parameter

      Description

      Template Name

      Specify a name for the template.

      The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      Protection Features

      Configure protection rules and configure protection actions.

      • Threat Intelligence for Protection for Major Events: This feature can accurately identify attackers based on the Alibaba Cloud libraries of malicious IP addresses. By default, the feature is enabled and the protection action is set to Monitor.

      • Protection Rule Group for Major Events: This feature provides precise protection rules for each user based on the intelligent protection model. By default, the feature is enabled and the protection action is set to Monitor.

      • IP Address Blacklist for Protection for Major Events: This feature supports 50,000 custom IP addresses or CIDR blocks in the blacklist.

      • Shiro Deserialization Vulnerability Prevention: This feature defends against Apache Shiro Java deserialization vulnerabilities by using cookie encryption technologies.

      Apply To

      Select the protected objects and protected object groups to which you want to apply the template.

    2. If you enable the IP address blacklist for major event protection feature in the Basic Information step, you must configure the parameters in the Configure IP Address Blacklist step. Then, click Next. The following table describes the parameters.

      Parameter

      Operation

      Add IP Address Blacklist

      Click Add IP Address Blacklist to add IP addresses to the blacklist.

      1. In the IP Address Blacklist field, enter the IP addresses that you want to add to the blacklist and press the Enter key.

        Note

        CIDR blocks and IPv6 addresses are supported. You can specify up to 500 CIDR blocks or IPv6 addresses. Separate multiple CIDR blocks or IPv6 addresses with line feeds or commas (,).

      2. Configure the End At parameter to specify the date and time when you want the configuration to become invalid. Valid values:

        • Permanently Effective.

        • Custom. Click the date and time picker to specify a date and time.

      3. In the Remarks field, enter a description and click OK.

        After you add IP addresses to the blacklist, you can view the IP addresses that you added in the Configure IP Address Blacklist step.

      Import IP Address Blacklist

      Click Import IP Address Blacklist to import a blacklist that contains multiple IP addresses.

      1. Click Upload File and select the IP address blacklist file that you want to import.

        Important
        • CSV files are supported.

        • IPv4 addresses, IPv6 addresses, and CIDR blocks are supported.

        • You can import only one file at a time. Each file can contain up to 2,000 IP addresses or CIDR blocks. The size of the file cannot exceed 1 MB.

        • You can import a large number of IP addresses in batches.

      2. Configure the End At parameter to specify the date and time when you want the configuration to become invalid. Valid values:

        • Permanently Effective.

        • Custom. Click the date and time picker to specify a date and time.

      3. In the Remarks field, enter a description and click OK.

        After you add IP addresses to the blacklist, you can view the IP addresses that you added in the Configure IP Address Blacklist step.

      Delete All IP Addresses

      If you no longer need to block the IP addresses that you added to the blacklist, you can click Delete All IP Addresses to remove all IP addresses from the blacklist.

      Delete Expired IP Addresses

      After the validity period of the IP addresses ends, you can click Delete Expired IP Addresses to remove all expired IP addresses from the blacklist.

  5. Click Complete.

    By default, the new major event protection rule template is enabled. You can perform the following operations in the major event protection rule template list:

    • View the number of protection rules and the number of protected objects and protected object groups that are associated with the template.

    • Turn on or turn off the switch in the Status column to enable or disable the template.

    • In the Actions column, click Edit, Delete, or Copy to modify, delete, or copy the template.

    • If you enabled the IP address blacklist for major event protection feature, click Edit IP Address Blacklist to modify the IP address blacklist.

View the statistics on major event protection

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

  2. In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > Protection for Major Events.

  3. On the Security Reports tab, you can view the following information:

    重保场景防护

    • In the Statistics section, you can view the total number of requests and the number of blocked requests. You can also view the protection rules and related data in a specific time range in a pie chart.

    • In the Protection Plan for Major Events section, you can view the number of rules for major event protection, number of threat intelligence rules, number of IP addresses in the blacklist, and maximum number of IP addresses that can be added to the blacklist in a specific time range.

    • On the Security Reports tab, you can specify the protected object and the time range to query the security report data.

      • Protected object: By default, All is selected and the security report data of all protected objects in WAF is obtained. You can also query the security report data of a specific protected object.

      • Time range: By default, Today is selected and the security report data of the current day is obtained. You can select Yesterday, Today, 7 Days, 30 Days, or a point in time in the previous 30 days to view data in the corresponding time range.

      The following table describes the security report data.

      Category

      Description

      Supported operation

      Attack statistics (labeled 1 in the preceding figure)

      Displays the statistical analysis results of attacks that are received by protected objects in a specific time range.

      • Distribution of Attack Types

        Displays the breakdown of attacks by type in a pie chart.

      • Top 5 Attacks

        Displays the top 5 protected objects that are most frequently attacked on the Attacked Object tab and the top 5 IP addresses from which attacks are most frequently launched on the Attacker IP Address tab. The protected objects or IP addresses are listed in descending order based on the number of attacks.

      None

      Attack event records (labeled 2 in the preceding figure)

      Displays information about the attacks that match basic protection rules in a list.

      The list includes the following information:

      • Attacker IP Address: the source IP address of the attack.

      • Area: the area where the attacker IP address is located.

      • Attack Time: the start time of the attack.

      • Attack Type: the type of the attack, such as SQL injection and code execution.

      • Rule Type: the type of the rule, such as rule groups for major event protection and threat intelligence for major event protection.

      • Action: the action that WAF performs on the request. The action can be Block or Monitor. The Block action blocks the request. The Monitor action records the request but does not block the request.

      • Filter attack events

        In the upper part of the attack event list, you can use the following fields to filter attack events:

        • Attack type: Valid values: All, SQL Injection, XSS Attack, Code Execution, Local File Inclusion, Remote File Inclusion, Webshell, and Others. Default value: All.

        • Rule type: Valid values: All, Protection Rule Group for Major Events, Threat Intelligence for Protection for Major Events, IP Address Blacklist for Protection for Major Events, and Shiro Deserialization Vulnerability Prevention. Default value: All.

        • Rule action: Valid values: All, Block and Monitor. Default value: All.

      • View attack details

        Find the attack event whose details you want to view and click View Details in the Actions column. Then, you can view the details of the attack event. The details include the attack type and the ID, name, description, and action of the protection rule that is matched by the attack.

      Real-time threat intelligence (labeled 3 in the preceding figure)

      Displays the following information about the threat intelligence of an attacker IP address:

      • The IP address of the attacker and the corresponding attributes.

      • The area to which the attacker IP address belongs.

      • The number of attacks that occurred in the previous hour.

      • The type of the attack.

      Query the real-time threat intelligence of an attacker IP address:

      Enter the IP address that you want to query and click the image icon to query the real-time threat intelligence of the IP address.