:FAQ about WAF

Overview

• FAQ about pre-sales consulting

  • Can I use WAF to protect servers that are not deployed on Alibaba Cloud?

  • Does WAF support Cloud Web Hosting instances?

  • Can WAF protect HTTPS services?

  • Does WAF support custom ports?

  • What are the limits on the ports that can be added to WAF?

  • Does the QPS limit specified in the WAF console apply to the entire WAF instance or a single domain name that is added to the WAF instance?

  • Does WAF support mutual TLS authentication?

  • Does WAF support the WebSocket, HTTP/2, or SPDY protocol?

  • Is the origin server affected after HTTP/2 services are added to WAF?

  • What TLS protocols does WAF support?

  • Can WAF protect websites that use NTLM authentication?

• FAQ about website access configuration

  • Can I use the private IP address of an ECS instance as an origin IP address?

  • Can WAF protect multiple origin IP addresses for one domain name?

  • How does WAF balance request loads among multiple origin servers?

  • Does WAF support the health check feature?

  • Does latency exist when I change an origin IP address?

  • What are the back-to-origin CIDR blocks of WAF?

  • Are back-to-origin CIDR blocks of WAF automatically added to security groups?

  • Do I need to allow access requests from all client IP addresses when I configure back-to-origin settings?

  • Can a WAF instance that uses an exclusive IP address defend against DDoS attacks?

  • Can WAF be deployed together with Alibaba Cloud CDN or Anti-DDoS Proxy?

  • Can I deploy WAF together with Alibaba Cloud CDN and Anti-DDoS Proxy across Alibaba Cloud accounts?

  • How does WAF ensure the security of an uploaded certificate and the private key of the certificate? Does WAF decrypt HTTPS traffic and record the content of HTTPS requests?

  • A domain name is added to WAF. Why am I unable to find the domain name in the domain name list?

• FAQ about website protection configuration

  • How can I use WAF to defend against HTTP flood attacks?

  • How long does it take for configuration modifications in the WAF console to take effect?

  • When I configure custom protection policies (ACL policies) in the WAF console, can I enter CIDR blocks in the IP field?

  • Why does a custom protection policy whose URL match field contains a double forward slash (//) not take effect?

• FAQ about website protection analysis

  • Can I view the source IP addresses of HTTP flood attacks in the WAF console?

  • How do I query the bandwidth usage of WAF?

Can I use WAF to protect servers that are not deployed on Alibaba Cloud?

Does WAF support Cloud Web Hosting instances?

Yes, all editions of WAF support exclusive Cloud Web Hosting instances.

Shared Cloud Web Hosting instances use shared IP addresses. Therefore, multiple users share the same origin server. We recommend that you do not separately configure WAF for shared Cloud Web Hosting instances.

Can WAF protect HTTPS services?

Yes, all editions of WAF can protect HTTPS services. You can add wildcard domain names to WAF.

To protect HTTPS services, you must upload SSL certificates and private key files as prompted. After HTTPS-enabled websites are added to WAF, WAF decrypts access requests, checks request packets, encrypts the requests, and then forwards the requests to origin servers.

Does WAF support custom ports?

What are the limits on the ports that can be added to WAF?

WAF supports only specific ports. The supported ports vary based on the editions of WAF. For more information, see View the ports supported by WAF.

Security risks may be caused by vulnerable ports, and Internet service providers (ISPs) may block service traffic that is destined for vulnerable ports. Vulnerable TCP ports include ports 42, 135, 137, 138, 139, 445, 593, 1025, 1434, 1068, 3127, 3128, 3129, 3130, 4444, 5554, 5800, 5900, and 9996. If a website that is protected by WAF uses vulnerable ports, the website may be inaccessible in specific regions. Before you add a website to WAF, make sure that the website does not use vulnerable ports.

Does the QPS limit specified in the WAF console apply to the entire WAF instance or a single domain name that is added to the WAF instance?

The queries per second (QPS) limit applies to the entire WAF instance.

For example, if you add three domain names to a WAF instance in the WAF console, the total QPS of the domain names cannot exceed the specified QPS limit. If the total QPS exceeds the limit, WAF triggers throttling and may randomly discard packets.

Does WAF support mutual TLS authentication?

The CNAME record and transparent proxy modes do not support mutual TLS authentication. The cloud native - SDK module mode of WAF 3.0 supports mutual TLS authentication. In this mode, you can add the following cloud services to WAF on the Cloud Native tab of the Website Configuration page in the WAF 3.0 console: Application Load Balancer (ALB), Microservices Engine (MSE), Function Compute, and Serverless App Engine (SAE).

Does WAF support the WebSocket, HTTP/2, or SPDY protocol?

All editions of WAF support WebSocket. In WAF 2.0, Business and higher support HTTP/2. In WAF 3.0, Subscription Enterprise Edition and higher and Pay-as-you-go Edition support HTTP/2. All editions of WAF do not support SPDY.

To prevent attackers from using HTTP/2 over cleartext (H2C) smuggling to bypass WAF, you can create a custom rule to block requests whose Header name is Upgrade and value is h2c. For more information, see Configure custom rules to defend against specific requests (WAF 3.0) and Create a custom protection policy (WAF 2.0).

Is the origin server affected after HTTP/2 services are added to WAF?

Yes, the origin server is affected. If you add HTTP/2 services to WAF, WAF can handle HTTP/2 requests from clients. However, WAF forwards requests to the origin server only over HTTP/1.0 or HTTP/1.1. If you add HTTP/2 services to WAF, HTTP/2 multiplexing cannot work as expected and the clean bandwidth of the origin server increases.

What TLS protocols does WAF support?

WAF instances that reside in the Chinese mainland support TLS 1.0, TLS 1.1, and TLS 1.2. WAF instances that reside outside the Chinese mainland support TLS 1.1 and TLS 1.2.

If you have special requirements, you can configure custom TLS settings. For example, you can disable TLS 1.0 and enable TLS 1.3 for your WAF instance. For more information, see Configure custom TLS settings.

Can WAF protect websites that use NTLM authentication?

No, WAF cannot protect websites that use New Technology LAN Manager (NTLM) authentication. If your website uses NTLM authentication, the access requests that are forwarded by WAF may fail the NTLM authentication of the origin server. As a result, authentication prompts may be repeatedly displayed on the client. We recommend that you use a different authentication method for your website.

Can I use the private IP address of an ECS instance as an origin IP address?

No, you cannot use the private IP address of an Elastic Compute Service (ECS) instance as an origin IP address. This is because WAF forwards requests to an origin server over the Internet.

Can WAF protect multiple origin IP addresses for one domain name?

Yes, you can enter up to 20 origin IP addresses when you add a domain name in the WAF console.

How does WAF balance request loads among multiple origin servers?

If you use multiple origin servers, WAF automatically uses the IP hash method to balance request loads among the origin servers. You can also use other load balancing algorithms based on your business requirements. For more information, see Add a domain name.

Does WAF support the health check feature?

Does latency exist when I change an origin IP address?

Yes, latency exists when you change an origin IP address. The new IP address requires approximately 1 minute to take effect.

What are the back-to-origin CIDR blocks of WAF?

To view the back-to-origin CIDR blocks of WAF, log on to the WAF console and choose Systems > Service Information in the left-side navigation pane. For more information, see Allow requests from the back-to-origin CIDR blocks of WAF.

Are back-to-origin CIDR blocks of WAF automatically added to security groups?

No, back-to-origin CIDR blocks of WAF are not automatically added to security groups. If you deploy other firewalls or host protection software for origin servers, we recommend that you add the back-to-origin CIDR blocks of WAF to the whitelists of the firewalls and software.

We recommend that you configure protection policies for the origin servers. For more information, see Configure protection for an origin server.

Do I need to allow access requests from all client IP addresses when I configure back-to-origin settings?

You can allow access requests from all client IP addresses or only from the back-to-origin CIDR blocks of WAF. We recommend that you allow access requests only from the back-to-origin CIDR blocks of WAF to protect the origin servers of your web services.

Can a WAF instance that uses an exclusive IP address defend against DDoS attacks?

Yes, a WAF instance that uses an exclusive IP address can defend against DDoS attacks.

WAF provides exclusive IP addresses to separately protect domain names. WAF can use the Anti-DDoS blackhole filtering policy to protect exclusive IP addresses. The policy protects exclusive IP addresses in the same manner as it protects the public IP addresses of ECS and Server Load Balancer (SLB) instances. The default DDoS mitigation capability provided by a WAF instance that uses an exclusive IP address is the same as the default DDoS mitigation capability of the ECS instance to which the related domain name points in the region where WAF is deployed.

Can WAF be deployed together with Alibaba Cloud CDN or Anti-DDoS Proxy?

Yes, WAF is fully compatible with Alibaba Cloud CDN and Anti-DDoS Proxy. If you want to deploy WAF together with Alibaba Cloud CDN and Anti-DDoS Proxy, we recommend that you deploy the services in the following sequence: client, Anti-DDoS Proxy, Alibaba Cloud CDN, WAF, SLB, and origin server.

If you want to deploy WAF together with Alibaba Cloud CDN or Anti-DDoS Proxy, you need to only set the address of the origin server to the CNAME assigned by WAF when you add a domain name to Alibaba Cloud CDN or Anti-DDoS Pro. When the address of the origin server is set to the CNAME assigned by WAF, requests are forwarded by Alibaba Cloud CDN or Anti-DDoS Proxy to WAF and then to the origin server. For more information, see Protect a website service by using Anti-DDoS Proxy and WAF and Use WAF together with CDN.

Can I deploy WAF together with Alibaba Cloud CDN and Anti-DDoS Proxy across Alibaba Cloud accounts?

Yes, you can deploy WAF together with Alibaba Cloud CDN and Anti-DDoS Proxy across Alibaba Cloud accounts. This allows you to defend against DDoS attacks and web application attacks.

How does WAF ensure the security of an uploaded certificate and the private key of the certificate? Does WAF decrypt HTTPS traffic and record the content of HTTPS requests?

If you use WAF to protect HTTPS services, you must upload the required SSL certificate and the private key of the certificate. This way, WAF can decrypt HTTPS traffic to detect attacks and analyze the characteristics of the attacks. Alibaba Cloud uses a dedicated key server to store and manage private keys. The key server is based on Alibaba Cloud Key Management Service (KMS) and can ensure the data security, integrity, and availability of certificates and private keys. This helps meet classified protection and compliance requirements. For more information about KMS, see What is Key Management Service?

WAF uses an uploaded certificate and the private key of the certificate to decrypt HTTPS traffic only in scenarios in which attacks are detected in real time. WAF records only attack payloads to provide attack reports and data statistics. WAF does not record the full content of requests or responses unless WAF is granted the required permissions.

WAF has passed various authoritative certifications, including ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 29151, BS 10012, Cloud Security Alliance (CSA) STAR certification, Cybersecurity in China Multi-level Protection Scheme (MLPS 2.0) Level III, Service Organization Control (SOC) 1, SOC 2, SOC 3, Cloud Computing Compliance Controls Catalog (C5), Green Finance Certification Scheme developed by Hong Kong Quality Assurance Agency (HKQAA), Outsourced Service Provider's Audit Report (OSPAR), and Payment Card Industry Data Security Standard (PCI DSS). WAF also provides the same security and compliance qualifications as Alibaba Cloud. For more information, visit Alibaba Cloud Trust Center.

A domain name is added to WAF. Why am I unable to find the domain name in the domain name list?

The domain name may have been automatically removed by WAF. This happens when the ICP filing information of the domain name is invalid. You must complete an ICP filing for the domain name and add the domain name to WAF again. For more information about ICP filing, see ICP filing application overview.

How can I use WAF to defend against HTTP flood attacks?

WAF provides various protection modes to defend against HTTP flood attacks. You can select a mode based on your business requirements. For more information, see Configure HTTP flood protection.

To achieve better protection and reduce the false positive rate, you can use WAF 2.0 Business or Enterprise and WAF 3.0 Enterprise Edition or Ultimate Edition. This way, security experts can tailor protection algorithms specific to your business. For more information, see Create a custom protection policy.

How long does it take for configuration modifications in the WAF console to take effect?

In most cases, configuration modifications take effect within 1 minute.

When I configure custom protection policies (ACL policies) in the WAF console, can I enter CIDR blocks in the IP field?

Yes, you can enter CIDR blocks in the IP field.

Why does a custom protection policy whose URL match field contains a double forward slash (//) not take effect?

When a rules engine of WAF processes the URL match field, the rules engine compresses consecutive forward slashes (/). Therefore, the rules engine cannot match the custom protection policy because the URL match field contains a double forward slash (//).

If you want to define an ACL policy whose URL match field contains a double forward slash (//), enter a single forward slash (/) instead. For example, if you want to set the URL match field to //api/sms/request, enter /api/sms/request. This way, WAF can implement access control as expected.

Can I view the source IP addresses of HTTP flood attacks in the WAF console?

Yes, you can view the source IP addresses of HTTP flood attacks after you enable the Simple Log Service for WAF feature. For more information, see Get started with the Log Service for WAF feature and Query logs.

How do I query the bandwidth usage of WAF?

You can view the bandwidth usage of WAF on the Overview page of the WAF console.

How does WAF improve the access security of business account APIs?

As the business and scale of enterprises continue to grow, the number of attacks is also increasing exponentially. Websites with more valuable accounts are attacked more frequently. Attackers may initiate numerous requests to a specific business account API over a specific period of time to log on to accounts or register a large number of fake accounts. WAF can protect APIs associated with accounts by automatically detecting APIs and providing account risk identification and scenario-based anti-crawling capabilities. For more information, see API security, Fraud detection, and Enable and configure the bot management module.

How do crawlers collect information by calling APIs? How do I mitigate the risks?

Crawlers automatically collect data from the Internet based on specific rules. Enterprises may lack effective management of online APIs, which allows attackers to gain unauthorized access to APIs. Improper configurations and illegal API access requests can also cause sensitive data leaks. WAF provides the bot management and API security modules.

• The bot management module protects against and handles malicious requests based on intelligence data, such as the malicious crawler IP address database compiled in real time and dynamically updated IP address databases from major public clouds and data centers. For more information, see Enable and configure the bot management module.

• The API security module automatically sorts through the APIs of services that are added to WAF, detects API vulnerabilities, provides reports on API exception events, and provides suggestions on how to handle vulnerabilities. For more information, see API security.

How does WAF obtain and record the originating IP addresses of clients by using custom header fields?

WAF obtains the originating IP addresses of clients in the following way: If a Layer 7 proxy is deployed in front of WAF, such as Anti-DDoS Proxy or Alibaba Cloud CDN, you can use custom header fields, such as X-Client-IP and X-Real-IP, to include the originating IP addresses of clients in requests. This prevents attackers from forging the X-Forward-For header to bypass the detection of WAF and enhances business security. After you configure a custom header field in WAF, WAF uses the value of the header field as the originating IP address of a client. If you configure multiple custom header fields, WAF reads the originating IP address of a client from the header fields in sequence.

WAF records the originating IP addresses of clients in the following way: When you add a website to WAF, you can enable the traffic marking feature. The feature allows WAF to record the originating IP addresses of clients in custom header fields when WAF forwards requests to the origin server. This way, the origin server can obtain the originating IP addresses of clients from the custom header fields for business analysis.

What are the main security risks of APIs and their possible impacts? How do I mitigate the risks?

Attackers may gain unauthorized access to APIs. Improper configurations and illegal API access requests can lead to sensitive data leaks. HTTP flood attacks can be launched by sending a large number of simulated normal requests to APIs. Expired APIs that have not been taken offline can lead to data leaks.

WAF provides the API security module for such issues. The API security module automatically detects high-risk issues, such as sensitive data leaks and Internet-exposed internal APIs, without the need for user configurations. WAF implements comprehensive API monitoring and traffic visualization to discover and classify APIs, assess the states of APIs, identify expired APIs that are still exposed, and model normal access requests. WAF implements self-learning on the API request parameter model to enable near real-time alerting for abnormal API calls. WAF also allows users to configure protection policies to mitigate and handle risks. For more information, see API security.

What risks might be associated with HTTP status code leaks? How do I mitigate the risks?

HTTP status codes are three-digit numeric codes that indicate the status of HTTP responses from a web server. The related error pages may contain information such as server code details, database connection information, SQL statements, or paths to sensitive files. Attackers can collect social engineering information and trigger web application errors to obtain sensitive information leaked from error messages, such as middleware version information or database connection details. The attackers can then carry out targeted attacks on specific versions with known vulnerabilities.

To prevent the leak of server version information, we recommend that you hide unnecessary information in HTTP response headers and return default error response pages. WAF allows you to configure rules to block or generate alerts for requests with specific HTTP status codes. This helps prevent the leak of sensitive server information. For example, you can configure a protection rule to block requests with the HTTP 404 status code. After the rule takes effect, WAF blocks requests for non-existent pages and returns a custom error page. For more information, see Configure custom response rules to configure custom block pages.

What are the security risks of the gaming business? How do I mitigate the risks?

The gaming business faces different security risks such as cheats, gold farming, account theft, and inappropriate content, which can harm both the player experience and the interests of game service providers. To handle the risks, Alibaba Cloud provides the game risk control solution. The solution leverages accumulated risk control capabilities and combines data characteristics, intelligent algorithms, and graph computing to accurately identify illegal activities. In business scenarios where high user authenticity is required, we recommend that you use real-name verification to prevent users from bypassing identity verification mechanisms. To ensure the security of game content, you can use Alibaba Cloud Content Moderation. You can call the public cloud API of Content Moderation to perform security checks on images, audio, and text to detect content such as pornography, political sensitivity, and terrorism. In addition, WAF blocks malicious crawler requests based on the global traffic and threat intelligence of Alibaba Cloud to ensure the continuity of the gaming business.

What risks might arise when I provide web API services by using a domain name? How do I mitigate the risks?

Web applications use web APIs to provide services such as storage services, messaging services, and computing services. However, forged API requests can lead to illegal API access requests, such as inconsistency in request paths and parameter values exceeding limits. As a result, sensitive data leaks can occur. WAF provides the API security module. The module manages custom API rule files to ensure that only API requests that meet the specified rules are executed. In addition, a large number of crawlers can simulate normal API requests. In this case, WAF blocks malicious crawler requests based on the global traffic and threat intelligence of Alibaba Cloud to prevent business fraud and HTTP flood attacks. For more information, see API security, Enable and configure the bot management module, and Configure HTTP flood protection rules to defend against HTTP flood attacks.

What measures does WAF take to reduce the risk of data leaks?

WAF takes the following measures to detect and mitigate attacks: proactively identify risky APIs, automatically respond to data leaks, employ a layered anti-intrusion strategy, and intercept crawlers. This helps ensure business data security.

What are the major protection engines provided by WAF?

WAF provides two protection engines: a basic protection rules engine and a custom rules engine. The engines identify malicious characteristics in the business traffic of websites and apps and defend against malicious traffic. For more information, see Basic protection rules and rule groups and Configure custom rules.

How does WAF intelligently detect and handle normal requests that are incorrectly identified as web attacks?

Due to the close resemblance between normal business request characteristics and attack detection rules, WAF may identify normal business requests as attacks. To reduce the false positive rate, the basic protection rules engine of WAF enables the intelligent rule hosting feature by default. The feature dynamically manages the web intrusion prevention whitelist to minimize the risk of false positives. After the risk of false positives is eliminated, the basic protection rules engine automatically deletes the rules that were added to the whitelist. For more information, see Configure whitelist rules to allow specific requests.

How does WAF enhance the security of databases?

WAF uses web intrusion prevention, HTTP flood protection, and crawler defense to enhance the security of databases. For more information, see Basic protection rules and rule groups, Enable and configure the bot management module, and Configure HTTP flood protection rules to defend against HTTP flood attacks.

A domain name is resolved to an SLB IP address and added to WAF. How do I prevent the requests destined for the domain name from bypassing WAF?

WAF supports the following modes for adding domain names: CNAME record mode and transparent proxy mode. After you add a domain name to WAF in CNAME record mode, we recommend that you configure an access control policy for the origin server to allow inbound traffic only from WAF back-to-origin CIDR blocks. This prevents attackers from bypassing WAF to attack the origin server. If the origin server is deployed on an SLB instance, you also need to configure an access control policy for the SLB instance to allow inbound traffic only from WAF back-to-origin CIDR blocks. After you configure an access control policy for the SLB instance, check whether the service port of the origin server can be accessed. If the service port cannot be directly accessed but the website services are still accessible, the protection settings for the origin server are successful. Before you configure protection settings for the origin server, make sure that all domain names that are resolved to the SLB IP address are added to WAF. If you increase the number of WAF clusters and add new back-to-origin CIDR blocks, update the access control policy that you configured for the SLB instance. If the origin server is deployed on an Internet-facing SLB instance, you can also add the domain name to WAF in transparent proxy mode. The transparent proxy mode eliminates the need to modify DNS records or configure protection settings for the origin server.