If you want to use Anti-DDoS Pro or Anti-DDoS Premium to protect your UDP service, we recommend that you use the feature of UDP Reflection Attacks Protection. You can use this feature to configure filtering policies with a few clicks. Then, Anti-DDoS Pro or Anti-DDoS Premium discards the UDP traffic over specific ports based on the policies. This way, UDP reflection attacks are mitigated. This topic describes how to use the feature.

Prerequisites

  • An Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan is purchased. For more information, see Purchase mitigation plans for Anti-DDoS Pro and Anti-DDoS Premium.

    The feature is available only for an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan. If you use an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Standard function plan, you must upgrade your instance before you can use the feature. For more information, see Upgrade the specifications of an Anti-DDoS Pro or Anti-DDoS Premium instance.

  • A forwarding rule over UDP is created on the Port Config page. For more information, see Create forwarding rules.

    The feature takes effect only on UDP traffic. Therefore, you can enable the feature only after you add your UDP service to Anti-DDoS Pro or Anti-DDoS Premium.

    If you do not create a forwarding rule or create only forwarding rules over TCP on the Port Config page, Anti-DDoS Pro or Anti-DDoS Premium discards all UDP traffic by default. In this situation, you do not need to configure the feature.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
    • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the Protection for Infrastructure tab, select the instance for which you want to configure the feature from the list on the left.
    You can search for the instance based on the instance ID or description. Select an instance
  5. In the UDP Reflection Attacks Protection (For instance IP) section, click Change Settings.
    Notice The feature is available only for an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan. If you use an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Standard function plan, click Upgrade to Enhanced to upgrade your instance.
    UDP Reflection Attacks Protection
  6. In the UDP reflection attacks mitigation settings panel, configure filtering policies to specify ports over which UDP reflection attacks may be launched.
    After the filtering policies are configured, Anti-DDoS Pro or Anti-DDoS Premium discards the UDP traffic from the specified ports. If you configure forwarding rules over UDP for multiple UDP services, the filtering policies take effect on all the UDP services. UDP reflection attacks mitigation settings

    You can use one of the following methods to configure filtering policies based on your business requirements:

    • One-click mitigation policy: Select policies from the list in the One-click mitigation policy section. We recommend that you use this method.

      A policy contains a common type of UDP reflection attack and the port over which the attack is launched. We recommend that you select all policies in the list to mitigate UDP reflection attacks that are launched over the ports.

    • Custom mitigation policies: In the Reflection source ports list field of the Custom mitigation policies section, enter the ports over which you want Anti-DDoS Pro or Anti-DDoS Premium to discard the UDP traffic. The ports that you can enter must be within the range from 0 to 65535. You can enter up to 20 ports. Separate multiple ports with commas (,).

      You can use this method to configure filtering policies only for ports that are not in the list of the One-click mitigation policy section.

  7. Click OK.
    After filtering policies are configured, Anti-DDoS Pro or Anti-DDoS Premium discards the UDP traffic over the ports that are specified in the filtering policies. This way, your UDP service is protected against UDP reflection attacks. You can modify the filtering policies in the Anti-DDoS Pro or Anti-DDoS Premium console based on your business requirements.