After you add the IP addresses of your cloud services to your Anti-DDoS Origin Enterprise instance, you can configure policies based on your business requirements to allow or deny requests that have specific characteristics. This better protects your cloud services against DDoS attacks.
Prerequisites
- An Anti-DDoS Origin Enterprise instance is purchased.
For more information, see Purchase an Anti-DDoS Origin Enterprise instance.
Note The Mitigation Settings feature that provides the policy configuration function is in public preview and is free of charge. It is available only if you have purchased an Anti-DDoS Origin Enterprise instance. If you want to enable this feature, submit a ticket. - The IP addresses of your cloud services are added to the Anti-DDoS Origin Enterprise
instance.
For more information, see Add a cloud service to Anti-DDoS Origin Enterprise for protection.
Procedure overview
If this is the first time for you to use the policy configuration function, perform the following steps:
- Create a policy template. For more information, see Select or create a policy template.
- Add cloud services to the policy template. The policy template is applied to the added cloud services. For more information, see Add cloud services to the policy template.
- Configure specific policies in the template. After you configure the policies, they
take effect on the cloud services that you added in the preceding step.
The following table describes the supported policies.
Policy Description Configuration ICMP Blocking Denies ICMP requests during traffic scrubbing. This protects the origin server against scans and helps mitigate ICMP flood attacks. Turn on or off Status of ICMP Blocking. After you enable this policy, ICMP requests are denied. Note This policy takes effect on the IP addresses in the whitelist. ICMP requests from these IP addresses are also denied.For more information, see Configure the ICMP Blocking policy.
Source Port Blocking Denies requests from the UDP or TCP protocol over the source or destination ports to mitigate UDP reflection attacks. Configure the protocols and ports to deny requests. After you enable this policy, requests from the specified protocol and ports are denied. For more information, see Configure the Source Port Blocking policy.
Blacklist and Whitelist Denies or allows requests from specific source IP addresses. Configure the IP address blacklist and whitelist. After you enable this policy, requests from the IP addresses included in the blacklist are denied, and requests from the IP addresses included in the whitelist are allowed. For more information, see Configure the Blacklist and Whitelist policy.
Byte-Match Filter Matches bytes for the content of specific packets to limit the rates of, deny, or allow requests when the instance is scrubbing traffic. Specify Byte-Match Filter rules to match the required bytes. If requests contain the matching bytes, the requests are denied, allowed, or limited based on the policy. For more information, see Configure the Byte-Match Filter policy.