Both Anti-DDoS Pro and Anti-DDoS Premium allow you to configure the Frequency Control policy for protected website services. You can use this policy to control the frequency of requests sent to your website from specific IP addresses. Frequency Control takes effect immediately after it is enabled. By default, the Normal mode is used to protect website services against common HTTP flood attacks. Frequency Control supports multiple modes for different scenarios. You can also create custom frequency control rules to prevent a specific IP address from frequently visiting a page in a short period of time.

Prerequisites

  • A website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  • Protection settings in Anti-DDoS Pro or Anti-DDoS Premium of the latest version are enabled.

Background information

Notice In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can switch the region (Mainland China and Outside Mainland China), and the system switches between Anti-DDoS Pro and Anti-DDoS Premium accordingly for you to manage and configure Anti-DDoS Pro or Premium instances. Ensure that you switch to the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

After you set up an Anti-DDoS Pro or Anti-DDoS Premium instance to protect your website service, you can enable Frequency Control to protect the website against HTTP flood attacks. Frequency Control supports multiple modes and allows you to adjust the mode in real time based on the traffic status of the website.

  • Normal: We recommend that you use this mode if the website traffic is normal. By default, this mode is used. In this mode, Frequency Control protects websites against common HTTP flood attacks but does not block normal requests.
  • Emergency: You can enable this mode when you detect HTTP response errors, traffic anomalies, or CPU and memory usage spikes. The Emergency mode provides relatively rigorous protection compared to the Normal mode. In this mode, Frequency Control protects websites against more complicated HTTP flood attacks but may block a few normal requests.
  • Strict: This mode provides rigorous protection. It uses Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) to verify the identities of all visitors. Only verified visitors are allowed to access the website.
    Note The CAPTCHA verification mechanism of this mode allows the requests that are initiated by real users from browsers. However, if the protected website provides API or native application services, requests to the website cannot pass the verification and will fail to access the services provided by the website.
  • Super Strict: This mode provides the most rigorous protection against HTTP flood attacks. It uses CAPTCHA to verify the identities of all visitors. Only verified visitors are allowed to access the website. Compared to the Strict mode, this mode combines CAPTCHA verification with anti-debugging and anti-machine verification technologies to enhance the protection of your website.
    Note The CAPTCHA verification mechanism of this mode allows the requests that are initiated by real users from browsers. Exceptions may occur in some browsers and cause the website to be inaccessible. In this case, you can restart the browser and revisit the website. However, if the protected website provides API or native application services, requests to the website cannot pass the verification and will fail to access the services provided by the website.

In addition to the protection modes, Frequency Control also allows you to create custom rules to block attacks more precisely. You can create a custom rule to protect a specific URL. After a custom rule is created, the specified IP address cannot frequently access the URL in a short period of time.

Configure a frequency control mode

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the target domain name from the list on the left side.
  5. In the Frequency Control section, set Preset Mode as required and turn on Status. Supported modes include Normal, Emergency, Strict, and Super Strict.HTTP flood protection

Create a custom frequency control rule

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the target domain name from the list on the left side.
  5. In the Frequency Control section, turn on Custom Rule and then click Change Settings.Define the custom rule
  6. Create a frequency control rule for a domain name.HTTP flood protection rule
    • Create a rule
      1. Click Create Rule.
        Note A maximum of 20 rules can be created. If the number of rules reaches the upper limit, the Create Rule button is dimmed.
      2. In the Create Rule dialog box, specify the required parameters and then click OK.Create Rule
        Configuration Description
        Name The name of this rule.
        URI The URI path to be protected. For example, /register. The path can contain parameters connected by “?”. For example, you can use /user? action=login.
        Matching rule
        • Exact Match: The request URI must be exactly the same as the configured URI here to get counted.
        • URI Path Match: When the request URI starts with the URI value configured here, the request is counted. For example, /register.html is counted if you use /register as the URI.
        Interval The cycle for calculating the number of visits. It works in sync with Visits from one single IP address.
        Visits from a single IP address The number of visits allowed from a single source IP address to the URL during the Interval.
        Blocking type The action to be performed after the condition is met. The operations can be Block or Human-Machine Identification.
        • Block: blocks accesses from the client after the condition is met.
        • Man-Machine Identification: accesses the client with redirection after the condition is met. Only the verified requests are forwarded to the origin.

      You can create multiple rules as required.

    • Edit a rule
      1. In the rule list, find the target rule and click Edit in the Actions column.
      2. In the Edit Rule dialog box, modify the settings and click OK. Specify the parameters in the same way you create a rule. However, you cannot change Name and URI.
    • Delete a rule
      1. In the rule list, find the target rule and click Delete in the Actions column.
      2. In the message that appears, click OK.
  7. Go back to the Frequency Control section and turn on Status to apply the rule.

Best practices

The protection intensities provided by different protection modes are listed in descending order: Super Strict > Strict > Emergency > Normal. The probabilities of false positives when you use these protection modes are listed in descending order: Super Strict > Strict > Emergency > Normal.

In normal situations, we recommend that you use the Normal mode for your protected website. In this mode, Frequency Control only blocks IP addresses that frequently send requests to your website. We recommend that you use the Emergency or Strict mode when your website is overwhelmed by HTTP flood attacks and the Normal mode fails to protect your website.

If your website provides API or native application services and the Strict or Super Strict mode is enabled, requests to the website cannot pass the verification. Therefore, these two modes are not suitable to protect this kind of website. You must create custom rules to protect specific URLs from HTTP flood attacks.