How to configure the HTTP flood protection module - Web Application Firewall

After you add your web services to Web Application Firewall (WAF), you can configure protection rules for the HTTP flood protection module to block HTTP flood attacks that target websites and return 405 error pages to clients. This topic describes how to configure protection rules for the HTTP flood protection module.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.

Create a protection template of the HTTP flood protection module

A default protection template is provided. By default, the protection template is enabled. To enable custom protection rules, you must create a protection template and create protection rules for the template. Perform the following steps to create a protection template:

Note

The default protection template is available only for subscription WAF instances that run the Pro, Enterprise, or Ultimate edition.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the HTTP Flood Protection section of the Basic Web Protection page, click Create Template.
Note
If this is your first time to create a protection template of the HTTP flood protection module, you can also click Configure Now in the HTTP Flood Protection card in the upper part of the Basic Web Protection page.

In the Create Template - HTTP Flood Protection panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Template Name	Specify a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template	Specify whether to set this template as the default template of the protection module. You can set only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no protection templates are applied.
Action	Select the action that you want WAF to perform when a request matches the rule. Valid values: Protection: blocks only suspicious requests. In this mode, the false positive rate is low. We recommend that you apply this mode when no abnormal traffic is detected on the website. This helps avoid false positives. Protection-emergency: blocks HTTP flood attacks. In this mode, the false positive rate may be high. If HTTP flood attacks fail to be blocked in Protection mode, the website responds at a low speed, and monitoring metrics such as traffic, CPU, and memory are abnormal, you can select this mode. Note The Protection-emergency mode is suitable for web pages and HTML5 pages. We recommend that you do not select this mode for APIs or native apps. If you select this mode for APIs or native apps, a large number of false positives may occur. We recommend that you create protection rules of the custom rule module for APIs or native apps. For more information, see Configure protection rules for the custom rule module.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For information about how to associate protected objects and protected object groups with the template, see Configure protected objects and protected object groups.

By default, a new rule template is enabled. You can perform the following operations in the rule template list:

View the number of protected objects and protected object groups that are associated with the template.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
Click the icon to the left of a template name to view the rules in the template.

What to do next

On the HTTP Flood Protection tab of the Security Reports page, you can view the protection details of the configured protection rules. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.

References

For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.
For more information about how to configure protection rules for the whitelist or HTTP flood protection module to allow requests destined for a domain name to bypass the HTTP flood protection module, see How do I disable HTTP flood protection for a domain name?
For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.
For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.