After you add the IP addresses of your cloud services to your Anti-DDoS Origin Enterprise instance, you can configure policies based on your business requirements to allow or deny requests that have specific characteristics. This better protects your cloud services against distributed denial-of-service (DDoS) attacks.

Prerequisites

Procedure overview

If this is the first time you use the policy configuration feature, perform the following steps:

  1. Create a policy template. For more information, see Select or create a policy template.
  2. Add cloud services to the policy template. The policy template is applied to the added cloud services. For more information, see Add cloud services to the policy template.
  3. Configure specific policies in the template. After you configure the policies, the policies take effect on the cloud services that you added in the preceding step.

    The following table describes the supported policies.

    Policy Description Configuration
    ICMP Blocking Denies Internet Control Message Protocol (ICMP) requests during traffic scrubbing. This protects the origin server against scans and helps mitigate ICMP flood attacks. Turn on or off Status of ICMP Blocking. After you enable this policy, ICMP requests are denied.
    Note This policy takes effect on the IP addresses in the whitelist. ICMP requests from the IP addresses are also denied.

    For more information, see Configure the ICMP Blocking policy.

    Source Port Blocking Denies User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) requests over the source or destination ports to mitigate UDP reflection attacks. Specify the protocols and ports to deny requests. After you enable this policy, requests are denied based on the specified protocol and ports.

    For more information, see Configure the Source Port Blocking policy.

    Blacklist and Whitelist Denies or allows requests from specific source IP addresses. Configure the IP address blacklist and whitelist. After you enable this policy, requests from the IP addresses that are included in the blacklist are denied, and requests from the IP addresses that are included in the whitelist are allowed.

    For more information, see Configure the Blacklist and Whitelist policy.

    Byte-Match Filter Matches bytes for the content of specific packets to deny, allow, or limit the rates of requests when the instance is scrubbing traffic. Specify Byte-Match Filter rules to match the required bytes. If requests contain the matching bytes, the requests are denied, allowed, or limited based on the policy.

    For more information, see Configure the Byte-Match Filter policy.

Procedure

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
  3. Click the Policy Configuration tab.
  4. Select or create a policy template.
    • If you have created policy templates, click the required policy template below Policy Template.
    • If you have not created policy templates, perform the following steps to create a policy template:
    1. Click Create Policy next to Policy Template.
    2. In the Add dialog box, specify Policy Name and click OK. Create a policy template
      After you create the policy template, the template is automatically selected.
  5. Add cloud services to the policy template.
    1. In the Target assets section on the right, click Add IP Addresses.
    2. In the Add IP Addresses dialog box, select the IP addresses of the required cloud service to apply the policy template. Add IP Addresses
      Parameter Description
      Region The region of the cloud service whose IP addresses you want to add to the Anti-DDoS Origin Enterprise instance.
      Instance The Anti-DDoS Origin Enterprise instance to which you want to add the IP addresses.
      IP Address The IP addresses of the cloud service.
      Note An IP address can be added to only one policy template. You cannot select an IP address that is added to a different policy template.
    3. Click OK.
    After you add the IP addresses, requests to the IP addresses are processed based on the policies in this template. By default, no policies are enabled in the newly created policy template. You must configure specific policies to deny or allow specific requests.

    You can click Remove to remove the IP addresses of cloud services from the Target assets section.

  6. Optional:Configure the ICMP Blocking policy.
    To enable or disable the ICMP Blocking policy, perform the following steps:
    1. On the Policy Configuration tab, turn on or off Status for the ICMP Blocking option. ICMP Blocking
    2. In the Ok dialog box, click OK.
  7. Optional:Configure the Source Port Blocking policy.
    To configure the Source Port Blocking policy, perform the following steps:
    1. On the Policy Configuration tab, click Configure for the Source Port Blocking option. Source Port Blocking
    2. In the Configure Source Port Blocking panel, click Add.
      Note You can add a maximum of eight port blocking rules.
    3. In the Add Port dialog box, configure the following parameters.
      Add Port
      Parameter Description
      Protocol The protocol of the requests that you want to block. Valid values: TCP and UDP.
      Type The type of port used by the requests that you want to block. Valid values: Source Port and Destination Port.
      Port Range The range of ports used by the requests that you want to block. Valid values: 1 to 65535.
      Note Make sure that the port ranges of two port blocking rules that have the same protocol and port type do not overlap.
      Action The action that is triggered by requests that use the specified protocol and ports. The value is fixed as Block.

      For more information about the recommended configurations of the Source Port Blocking policy, see Recommended configurations for the Source Port Blocking policy.

    4. Click OK.
      After you add a port blocking rule, the rule automatically takes effect. Requests that use the specified protocol and ports are denied. You can manage configured port blocking rules in the Configure Source Port Blocking panel. For example, you can click Edit or Delete to edit or delete a port blocking rule.
  8. Optional:Configure the Blacklist and Whitelist policy.
    To configure the Blacklist and Whitelist policy, perform the following steps:
    1. On the Policy Configuration tab, click Configure for the Blacklist and Whitelist option. Blacklist and Whitelist
    2. In the Blacklist and Whitelist panel, click Add IP Addresses.
    3. In the Add IP Addresses dialog box, configure the blacklist and whitelist.
      You can add a maximum of 10,000 IP addresses to the blacklist and a maximum of 10,000 IP addresses to the whitelist. You must separate multiple IP addresses with spaces or line feeds. Add IP Addresses
    4. Click OK.
      After you configure the Blacklist and Whitelist policy, the policy immediately takes effect. Requests from the IP addresses that are included in the blacklist are denied, and requests from the IP addresses that are included in the whitelist are allowed. You can manage the configured blacklist and whitelist in the Blacklist and Whitelist panel. For example, you can click Delete to delete an IP address or click Clear to clear the blacklist or whitelist.
  9. Optional:Configure the Byte-Match Filter policy.
    To configure the Byte-Match Filter policy, perform the following steps:
    1. On the Policy Configuration tab, click Configure for the Byte-Match Filter option. Byte-Match Filter
    2. In the Configure Byte-Match Filter panel, click Add.
      Note You can add a maximum of eight Byte-Match Filter rules.
    3. In the Add Byte-Match Filter Rule dialog box, configure the following parameters.
      Add Byte-Match Filter Rule
      Parameter Description
      Protocol The type of the protocol. Valid values: TCP and UDP.
      Source Port Range The range of source ports. Valid values: 1 to 65535.
      Destination Port Range The range of destination ports. Valid values: 1 to 65535.
      Packet Length Range The range of packet lengths. Valid values: 1 to 1500. Unit: bytes.
      Offset The offset of bytes in UDP or TCP packets. Valid values: 0 to 1500. Unit: bytes.

      If you set the offset to 0, the system starts matching from the first byte.

      Payload The matching payload of UDP or TCP packets. You must enter a hexadecimal string that starts with 0x.
      Action The action that is triggered by the matching requests. Valid values: Allow, Block, Limit Bandwidth of Source IP Address, and Limit Bandwidth of Session.

      If you select Limit Bandwidth of Source IP Address or Limit Bandwidth of Session, you must specify Bandwidth. Valid values of Bandwidth: 1 to 100000.

    4. Click OK.
      After you configure the Byte-Match Filter policy, the policy automatically takes effect. Requests that meet the rules are denied, allowed, or limited based on the policy. You can manage the configured Byte-Match Filter rules in the Configure Byte-Match Filter panel. For example, you can click Edit, Delete, Move Down, or Move Up to manage the rules.
      Note You can adjust the order of rules for better management. The adjustment does not affect the rules.

Recommended configurations for the Source Port Blocking policy

We recommend that you configure the Source Port Blocking policy based on the following description and your business requirements. For more information, see Configure the Source Port Blocking policy.

  • If your cloud services that are protected by Anti-DDoS Origin Enterprise do not provide UDP services, we recommend that you block all source UDP ports.
    The following figure shows the port configuration. Block all source UDP ports
  • If your cloud services that are protected by Anti-DDoS Origin Enterprise provide UDP services, we recommend that you block the common source ports that are exploited by UDP reflection attacks. The ports include ports 1 to 52, ports 54 to 161, port 389, port 1900, and port 11211.
    The following figure shows the port configuration. Block common source ports that are exploited by UDP reflection attacks