Configure policies - Anti-DDoS Origin User Guide| Alibaba Cloud Documentation Center

After you add the IP addresses of your cloud services to your Anti-DDoS Origin Enterprise instance, you can configure policies based on your business requirements to allow or deny requests that have specific characteristics. This better protects your cloud services against DDoS attacks.

Prerequisites

An Anti-DDoS Origin Enterprise instance is purchased.
For more information, see Purchase an Anti-DDoS Origin Enterprise instance.

Note The Mitigation Settings feature that provides the policy configuration function is in public preview and is free of charge. It is available only if you have purchased an Anti-DDoS Origin Enterprise instance. If you want to enable this feature, submit a ticket.
The IP addresses of your cloud services are added to the Anti-DDoS Origin Enterprise instance.
For more information, see Add a cloud service to Anti-DDoS Origin Enterprise for protection.

Procedure overview

If this is the first time for you to use the policy configuration function, perform the following steps:

Create a policy template. For more information, see Select or create a policy template.
Add cloud services to the policy template. The policy template is applied to the added cloud services. For more information, see Add cloud services to the policy template.

Configure specific policies in the template. After you configure the policies, they take effect on the cloud services that you added in the preceding step.

The following table describes the supported policies.


Policy	Description	Configuration
ICMP Blocking	Denies ICMP requests during traffic scrubbing. This protects the origin server against scans and helps mitigate ICMP flood attacks.	Turn on or off Status of ICMP Blocking. After you enable this policy, ICMP requests are denied. Note This policy takes effect on the IP addresses in the whitelist. ICMP requests from these IP addresses are also denied. For more information, see Configure the ICMP Blocking policy.
Source Port Blocking	Denies requests from the UDP or TCP protocol over the source or destination ports to mitigate UDP reflection attacks.	Configure the protocols and ports to deny requests. After you enable this policy, requests from the specified protocol and ports are denied. For more information, see Configure the Source Port Blocking policy.
Blacklist and Whitelist	Denies or allows requests from specific source IP addresses.	Configure the IP address blacklist and whitelist. After you enable this policy, requests from the IP addresses included in the blacklist are denied, and requests from the IP addresses included in the whitelist are allowed. For more information, see Configure the Blacklist and Whitelist policy.
Byte-Match Filter	Matches bytes for the content of specific packets to limit the rates of, deny, or allow requests when the instance is scrubbing traffic.	Specify Byte-Match Filter rules to match the required bytes. If requests contain the matching bytes, the requests are denied, allowed, or limited based on the policy. For more information, see Configure the Byte-Match Filter policy.

Procedure

Log on to the Anti-DDoS console.
In the left-side navigation pane, choose Anti-DDoS Origin > Mitigation Settings.
Click the Policy Configuration tab.
Select or create a policy template.
- If you have created policy templates, click the required policy template below Policy Template.
- If you have not created policy templates, perform the following steps to create a policy template:
1. Click Create Policy next to Policy Template.
2. In the Add dialog box, specify Policy Name and click OK.
  After you create the policy template, it is automatically selected.

Add cloud services to the policy template.

In the Target assets section on the right, click Add IP Addresses.

In the Add IP Addresses dialog box, select the IP addresses of the required cloud service to apply the policy template.


Parameter	Description
Region	The region of the cloud service whose IP addresses you want to add to the Anti-DDoS Origin Enterprise instance.
Instance	The Anti-DDoS Origin Enterprise instance to which you want to add the IP addresses.
IP Address	The IP addresses of the required cloud service. Note An IP address can be added to only one policy template. If an IP address is already added to a different policy template, you cannot select it.

Click OK.

After you add the IP addresses, requests from these IP addresses are processed based on the policies in this template. By default, no policies are enabled in the created policy template. You must configure specific policies to deny or allow specific requests.

You can click Remove to remove the IP addresses of cloud services from the Target assets section.

Optional:Configure the ICMP Blocking policy.
To enable or disable the ICMP Blocking policy, perform the following steps:
1. On the Policy Configuration tab, turn on or off Status for the ICMP Blocking option.
2. In the Ok dialog box, click OK.

Optional:Configure the Source Port Blocking policy.

To configure the Source Port Blocking policy, perform the following steps:

On the Policy Configuration tab, click Configure for the Source Port Blocking option.
In the Configure Source Port Blocking panel, click Add.

Note You can add a maximum of eight port blocking rules.

In the Add Port dialog box, configure the following parameters.


Parameter	Description
Protocol	The protocol for blocking. Valid values: TCP and UDP.
Type	The type of port for blocking. Valid values: Source Port and Destination Port.
Port Range	The range of ports for blocking. Valid values: 1 to 65535. Note Make sure that the port ranges of two port blocking rules that have the same protocol and port type do not overlap.
Action	The action that is triggered by requests from the specified protocol and ports. The value is fixed as Block.

Click OK.
After you add a port blocking rule, it automatically takes effect. Requests from the specified protocol and ports are denied. You can manage configured port blocking rules in the Configure Source Port Blocking panel. For example, you can click Edit or Delete to edit or delete a port blocking rule.

Optional:Configure the Blacklist and Whitelist policy.
To configure the Blacklist and Whitelist policy, perform the following steps:
1. On the Policy Configuration tab, click Configure for the Blacklist and Whitelist option.
2. In the Blacklist and Whitelist panel, click Add IP Addresses.
3. In the Add IP Addresses dialog box, configure the blacklist and whitelist.
  You can add a maximum of 10,000 IP addresses to the blacklist and a maximum of 10,000 IP addresses to the whitelist. Separate multiple IP addresses with spaces or line breaks.
4. Click OK.
  After you configure the Blacklist and Whitelist policy, it immediately takes effect. Requests from the IP addresses included in the blacklist are denied, and requests from the IP addresses included in the whitelist are allowed. You can manage the configured blacklist and whitelist in the Blacklist and Whitelist panel. For example, you can click Delete to delete an IP address or click Clear to clear the blacklist or whitelist.

Optional:Configure the Byte-Match Filter policy.

To configure the Byte-Match Filter policy, perform the following steps:

On the Policy Configuration tab, click Configure for the Byte-Match Filter option.
In the Configure Byte-Match Filter panel, click Add.

Note You can add a maximum of eight Byte-Match Filter rules.

In the Add Byte-Match Filter Rule dialog box, configure the following parameters.


Parameter	Description
Protocol	The type of the protocol. Valid values: TCP and UDP.
Source Port Range	The range of source ports. Valid values: 1 to 65535.
Destination Port Range	The range of destination ports. Valid values: 1 to 65535.
Packet Length Range	The range of packet lengths. Valid values: 1 to 1500. Unit: bytes.
Offset	The offset of bytes in UDP or TCP packets. Valid values: 0 to 1500. Unit: bytes. If you set the offset to 0, the system starts matching from the first byte.
Payload	The matching payload of UDP or TCP packets. You must enter a hexadecimal string that starts with 0x.
Action	The action that is triggered by the matching requests. Valid values: Allow, Block, Limit Bandwidth of Source IP Address, and Limit Bandwidth of Session. If you select Limit Bandwidth of Source IP Address or Limit Bandwidth of Session, you must set Bandwidth. Valid values of Bandwidth: 1 to 100000.

Click OK.
After you configure the Byte-Match Filter policy, it automatically takes effect. Requests that meet the rules are denied, allowed, or limited based on the policy. You can manage the Byte-Match Filter rules in the Configure Byte-Match Filter panel. For example, you can click Edit, Delete, Move Down, or Move Up to manage the rules.

Note You can adjust the order of rules for better management. The adjustment does not affect the rules.