This topic describes how to use Intelligent Protection provided by Anti-DDoS Pro and Anti-DDoS Premium to protect website services. Intelligent Protection is developed based on the big data technologies of Alibaba Cloud. It automatically learns traffic patterns and uses algorithms to analyze attacks. It then implements accurate access control rules to adjust protection modes and to quickly detect and block attacks, such as malicious bots and HTTP flood attacks.

Prerequisites

  • A website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  • Protection settings in Anti-DDoS Pro or Anti-DDoS Premium of the latest version are enabled.

Background information

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can switch the region (Mainland China and Outside Mainland China), and the system switches between Anti-DDoS Pro and Anti-DDoS Premium accordingly for you to manage and configure Anti-DDoS Pro or Premium instances. Ensure that you switch to the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

After you set up an Anti-DDoS Pro or Anti-DDoS Premium instance to protect website services, you can enable Intelligent Protection. The intelligent protection engine automatically learns traffic patterns and protects the website against web attacks by using accurate access control rules.

Intelligent Protection mode

Intelligent Protection supports the following protection modes:
  • Warning: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, it records the attacks but does not block any request. You can use this mode to learn how Intelligent Protection safeguards your website.

    You can use this mode and the Log Analysis feature to query warnings recorded by Intelligent Protection and verify its protection capabilities. For more information, see View attack warning logs.

  • Defense: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, it directly applies accurate access control rules to block malicious requests.
    Note Intelligent Protection uses accurate access control rules to trigger actions. To make sure that Intelligent Protection works as expected, you must enable Accurate Access Control. For more information, see Configure accurate access control rules.

    We recommend that you use the Warning mode and the Log Analysis feature to analyze the attack logs. Enable the Defense mode only when Intelligent Protection works as expected for this policy to take effect.

Intelligent Protection level

If you enable Intelligent Protection, you can select a protection level as required. The following table describes the protection levels provided by Intelligent Protection.
Level Effect Scenario
Low Blocks specific attacks and allows normal requests. Large websites with high processing capabilities, and specific scenarios such as sales promotions
Normal (recommended) Does not process requests in most cases. When detecting traffic that poses a threat to the protected website, Anti-DDoS Pro or Anti-DDoS Premium protects the website and minimizes the negative impacts on the website services. Scenarios where the number of requests does not greatly fluctuate and the servers have additional resources other than managing normal network traffic
Strict Strictly and intelligently blocks attacks but may block normal requests. Websites that have weak protection capabilities

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the target domain name from the list on the left side.
  5. In the Intelligent Protection section, click Modify.Intelligent Protection
  6. In the Intelligent Protection dialog box, set Mode and Level, and turn on Status.
    • Mode: Set this parameter to Warning or Defense.
    • Level: Set this parameter to Low, Normal, or Strict.Intelligent Protection
    After Intelligent Protection is enabled, Anti-DDoS Pro or Anti-DDoS Premium automatically generates accurate access control rules when it detects malicious attacks. You can view the rules in the Accurate Access Control section.

View accurate access control rules

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the target domain name from the list on the left side.
  5. In the Accurate Access Control section, click Change Settings.Click Change Settings in Accurate Access Control
  6. On the Accurate Access Control page, view the rules that start with smartcc_.
    Accurate access control rules created by Intelligent Protection start with smartcc_. Compared with user-defined accurate access control rules, those created by Intelligent Protection have the following characteristics:
    • The action of a rule may be a warning. In Warning mode, the action specified in an accurate access control rule that is created by Intelligent Protection is a warning. In this case, Anti-DDoS Pro or Anti-DDoS Premium records attacks but does not block attacks.
    • Each rule has a validity period. After a rule expires, it becomes invalid and is automatically deleted.
    • Rules cannot be manually deleted. If you disable Intelligent Protection, rules created by Intelligent Protection are immediately deleted.

View attack warning logs

After you enable Intelligent Protection for website services, the Log Analysis feature records detected attacks that hit Intelligent Protection rules. You can query the attack warning logs associated with the Intelligent Protection rules on the Log Analysis page. This allows you to check the performance levels of Intelligent Protection.

Prerequisites
  • The Log Analysis feature is enabled for a website. For more information, see Full log.
  • The Intelligent Protection policy is enabled for a website and set to the Warning mode.

Queries

Log on to the Anti-DDoS Pro or Anti-DDoS Premium console and choose Investigation > Log Analysis. On the page that appears, select a domain name and enter the following query statement to view the attack warning logs related to Intelligent Protection:
Note Replace test.aliyundemo.com with the actual website domain. 
matched_host:"test.aliyundemo.com" and cc_action:alarm