Use the intelligent protection feature

Configure a policy for the intelligent protection feature

1. Log on to the Anti-DDoS Pro console.
2. In the top navigation bar, select the region where your instance resides.
   • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
   • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
   You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
4. On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select a specific domain name from the list in the left side.
5. In the Intelligent Protection section, click Modify.
6. In the Intelligent Protection dialog box, configure Mode and Level, and turn on Status.
   • Mode: Set this parameter to Warning or Defense.
     This feature supports the following protection modes:

     • Warning: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, Anti-DDoS Pro or Anti-DDoS Premium records the attacks but does not block the requests. You can use this mode to learn how the feature safeguards your website.

       You can use this mode and the Log Analysis feature to query warnings recorded by the feature and verify the protection capabilities of the feature. For more information, see View attack warning logs.

     • Defense: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, Anti-DDoS Pro or Anti-DDoS Premium applies accurate access control rules to block the malicious requests.
       Note The feature uses accurate access control rules to trigger actions. To make sure that the feature works as expected, you must enable Accurate Access Control. For more information, see Configure accurate access control rules.

       We recommend that you use the Warning mode and the Log Analysis feature to analyze the attack logs. For this policy to take effect, enable the Defense mode only when the feature works as expected.

   • Level: Set this parameter to Low, Normal, or Strict.
     If you enable the feature, you can select a value for Level based on your business requirements. The following table describes the protection levels provided by the feature.

     Level	Effect	Scenario
     Low	Blocks specific attacks and allows normal requests.	Large websites that have high processing capabilities, and specific scenarios such as sales promotions
     Normal (recommended)	Does not process requests in most cases. When Anti-DDoS Pro or Anti-DDoS Premium detects traffic that poses a threat to the protected website, Anti-DDoS Pro or Anti-DDoS Premium protects the website and minimizes the negative impacts on the website.	Scenarios in which the number of requests does not greatly fluctuate and the servers have additional resources other than managing normal network traffic
     Strict	Strictly and intelligently blocks attacks. However, normal requests may also be blocked.	Websites that do not have sufficient processing or protection capabilities

   After the feature is enabled, Anti-DDoS Pro or Anti-DDoS Premium automatically generates accurate access control rules when Anti-DDoS Pro or Anti-DDoS Premium detects malicious attacks. You can view the rules in the Accurate Access Control section.

View accurate access control rules

1. Log on to the Anti-DDoS Pro console.
2. In the top navigation bar, select the region where your instance resides.
   • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
   • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
   You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
4. On the General Policies page, click the Protection for Website Services tab. Select the required domain name from the list on the left side.
5. In the Accurate Access Control section, click Change Settings.
6. On the Accurate Access Control page, view the rules that start with smartcc_.
   Accurate access control rules created by Intelligent Protection start with smartcc_. Compared with custom accurate access control rules, the accurate access control rules created by the feature have the following characteristics:

   • The action of a rule may be warning. In Warning mode, the action specified in an accurate access control rule that is created by the feature is warning. In this case, Anti-DDoS Pro or Anti-DDoS Premium records attacks but does not block attacks.
   • Each rule has a validity period. After a rule expires, the rule becomes invalid and is automatically deleted.
   • Rules cannot be manually deleted. If you disable the feature, rules created by the feature are immediately deleted.

View attack warning logs

After the feature is enabled for your website, the Log Analysis feature records detected attacks that trigger the accurate access control rules. You can query the attack warning logs that are associated with the accurate access control rules on the Log Analysis page. This allows you to check the performance levels of the feature.

Queries

matched_host:"test.aliyundemo.com" and cc_action:alarm

Modify the policy for the intelligent protection feature

In the following business scenarios, we recommend that you modify the policy for the intelligent protection feature. This helps the feature learn traffic patterns to prevent false positives.