Both Anti-DDoS Pro and Anti-DDoS Premium allow you to create accurate access control rules for website services that they protect. The Accurate Access Control policy allows you to customize access control rules. You can filter access requests based on commonly used HTTP fields, such as IP, URI, Referer, User-Agent, and Params. For requests that meet the filter conditions, you can allow, block, or verify them. This policy supports custom protection policies for different scenarios, such as hotlinking protection and management console protection.

Prerequisites

  • A website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  • Protection settings in Anti-DDoS Pro or Anti-DDoS Premium of the latest version are enabled.

Background information

If your website is protected by Anti-DDoS Pro or Anti-DDoS Premium and you want to manage requests that have specific characteristics, you can enable Accurate Access Control for your website and create accurate access control rules. Each accurate access control rule consists of one or more match conditions and one action.
  • Match conditions specify the HTTP fields to be recognized. The following table describes the HTTP fields supported by accurate access control rules.
    Note Different HTTP fields use different logical operators. For example, the source IP field uses the Is Part Of or Is Not Part Of logical operator. The URI field uses the Contains or Does Not Contain logical operator. For more information, see the Supported logical operator column in the following table.
    Field Description Supported logical operator
    IP The source IP address of the request. Is Part Of and Is Not Part Of
    URI The request URI. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, and Is Longer Than
    User-Agent The information about the client browser that sends the request. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, and Is Longer Than
    Cookie The cookie in the request. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, Is Longer Than, and Does Not Exist
    Referer The source URI of the request, namely, the page from which the access request is redirected. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, Is Longer Than, and Does Not Exist
    Content-Type The HTTP content type of the response specified by the request, namely, MIME type information. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, and Is Longer Than
    X-Forwarded-For The actual client IP address of the request. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, Is Longer Than, and Does Not Exist
    Content-Length The amount of bytes in the HTTP body of the request. Is Smaller Than, Has a Value Of, and Is Larger Than
    Post-Body The content of the request. Contains, Does Not Contain, Equals, and Does Not Equal
    Http-Method The request method. Valid values: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, and TRACE. Equals and Does Not Equal
    Header The request header that is used to customize the HTTP header field and value. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, Is Longer Than, and Does Not Exist
    Params The parameters in the request URI. The parameter part of the URI usually follows a question mark (?). For example, in URI www.abc.com/index.html? action=login, the parameter part is action=login. Contains, Does Not Contain, Equals, Does Not Equal, Is Shorter Than, Has a Length Of, and Is Longer Than
  • An action defines how the request is handled if a request meets the match conditions. Actions include Clear, Blocked, and JS Challenge. The challenge action verifies the source IP address by using JavaScript.

Limits

The following table describes the limits on Accurate Access Control based on the function plan of an Anti-DDoS Pro or Anti-DDoS Premium instance.

Limit Standard function plan Enhanced function plan
Number of custom rules ≤ 5 ≤ 10
Supported match fields IP, URI, Referer, and User-Agent All fields that support matching

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the target domain name from the list on the left side.
  5. In the Accurate Access Control section, click Change Settings.Click Change Settings in Accurate Access Control
  6. Configure accurate access control rules for the domain name.Accurate access control rule
    • Create a rule
      1. Click Create Rule.
        Note If the number of custom rules reaches the upper limit, the Create Rule button is unavailable.
      2. In the Create Rule dialog box, specify the required parameters and then click OK.Create Rule
        Parameter Description
        Name The name of the rule. The name can be up to 128 characters in length and can contain letters, digits, and underscores (_).
        Match Conditions The match condition of the rule. To add match conditions of a rule, click Add Condition. Each condition consists of Field Name, Logical Relation, and Field Value.
        • Set Field Name and Logical Relation based on Supported match field.
        • Set Field Value based on Field Name. The value of Field Value is case sensitive. Field Value does not support regular expressions, but can be left blank.

        You can add multiple match conditions. If multiple match conditions are specified, a request matches the rule only when all the conditions are met.

        Action The operation that is performed when a request meets the match conditions. Valid values:
        • Blocked: Requests that meet match conditions are blocked.
        • Clear: Requests that meet match conditions are allowed.
        • JS Challenge: JavaScript verification is required for the source IP address of the request that meets the match conditions.
        Validity The validity period of the rule. You can set this parameter to 5 Minutes, 10 Minutes, 30 Minutes, 60 Minutes, 90 Minutes, 120 Minutes, or Permanent.

        In this example, after configurations are complete, if a request is sent to a /login page and the User-Agent field of the request contains chrome, the source IP address must pass JavaScript verification. The rule remains effective 120 minutes after it is created.

        You can create multiple rules as required.
        Note
        • If you create multiple rules, the priority of a rule depends on its rank in the rule list. The higher the rank, the higher the priority. The system compares a request against rules based on their priorities. The higher the rule priority, the sooner the rule is compared.
        • If a request meets multiple match conditions of different rules, the action of the rule with the highest priority takes effect.
      Examples
      • Block specific requests
        In most cases, the root directory of a website does not receive POST requests. If HTTP flood attacks occur, your website may receive a large number of POST requests that target the root directory. We recommend that you check whether these requests are valid. If these requests are invalid, you can use accurate access control rules to block them. The following figure shows sample configurations.Block specific requests
      • Block web crawlers
        If your website receives a large number of crawler requests within a certain period of time, which may be HTTP flood attacks initiated from bots that simulate crawlers, you can block these requests. The following figure shows sample configurations.Block web crawlers
    • Edit a rule
      1. In the rule list, find the target rule and click Edit in the Actions column.
      2. In the Edit Rule dialog box, modify the rule settings and click OK. Configure the rule settings in the same way you create a rule. However, you cannot change the value of Name.
    • Delete a rule
      1. In the rule list, find the target rule and click Delete in the Actions column.
      2. In the message that appears, click OK.
  7. Go back to the Accurate Access Control section and turn on Status to apply the settings.