All Products
Search
Document Center

Anti-DDoS:Configure the HTTP flood mitigation feature

Last Updated:Mar 06, 2024

After you add your website to Anti-DDoS Proxy for protection, if HTTP flood attacks occur, you can perform feature analysis and configure rules based on HTTP request headers to identify and block HTTP flood attacks. The HTTP flood mitigation feature can be used in different scenarios, such as hotlink protection and protection of the website management system. This topic describes how to configure the HTTP flood mitigation feature.

Background information

HTTP flood attacks are common on the Internet. When HTTP flood attacks occur, a large number of requests are sent to a server, which overloads the server. As a result, the server stops responding to requests from users. You can configure access control rules or limit request rates to mitigate HTTP flood attacks in an effective manner.

Recommended scenarios

When HTTP flood attacks occur and obvious characteristics, such as the same source IP addresses and the same fields contained in URIs, are found in the HTTP request headers by using the log analysis feature, we recommend that you use the HTTP flood mitigation feature to allow or block requests that have specific characteristics to mitigate HTTP flood attacks. We recommend that you do not use the feature for daily protection.

Mitigation rules

If you turn off Rate Limiting when you create a rule, an accurate access control rule is created. If you turn on Rate Limiting, a frequency control rule is created. The system matches a request against accurate access control rules first and then frequency control rules. If a rule is hit, the matching stops.

Rule

Accurate access control rule

Frequency control rule

Description

When a request matches the condition of a rule, the request is processed based on the action that is specified by the rule.

When a request matches the condition of a rule and reaches the specified threshold during the specified statistical period, the request is processed based on the action that is specified in the rule.

Validity periods

You can select Permanent or Custom Valid Period for a rule. Valid values of Custom Valid Period: 5 to 120. Unit: minutes.

Note

If you select Custom Valid Period, the rule is automatically deleted after the rule expires.

A rule never expires.

Matching logic

Matches all rules. If a request hits multiple rules, the request is processed based on the action specified in the rule that ranks highest.

For example, if a request hits Rule 1 and Rule 2, the request is processed based on the action that is specified in Rule 1. Rule 1 is marked as 1 and Rule 2 is marked as 2 in the following figure.

image.png

Matches all rules. If a request hits multiple rules, the request is randomly processed based on the action specified in one of the rules.

Limits

You can configure up to 20 accurate access control rules for each domain name.

You can configure up to 20 frequency control rules for each domain name.

Cookie insertion

If you use Anti-DDoS Proxy to protect your website, cookies are inserted in the following scenarios:

  • Scenario 1: The HTTP flood mitigation feature is enabled.

    After you enable the HTTP flood mitigation feature, Anti-DDoS Proxy inserts cookies into the client of your website, such as a browser, to distinguish your client from other clients and collect statistics on your clients. When users visit your website, the inserted cookies are included in HTTP requests. Anti-DDoS Proxy checks whether HTTP flood attacks exist in traffic based on the statistics. If attacks occur, traffic scrubbing is triggered to mitigate the attacks. To disable the HTTP flood mitigation feature and prohibit cookies from being inserted, go to the Mitigation Settings > General Policies > Protection for Website Services tab. If you disable the HTTP flood mitigation feature, Anti-DDoS Proxy cannot proactively identify and protect against HTTP flood attacks.

  • Scenario 2: The Action parameter of a mitigation rule is set to JavaScript Challenge.

    After you set the Action parameter of a mitigation rule to JavaScript Challenge, cookies are inserted into HTTP requests to obtain the fingerprint of the browser on the client. The collected fingerprint includes the host field and the height and width of the browser. If access traffic hits the mitigation rule, Anti-DDoS Proxy performs CAPTCHA verification and checks whether HTTP flood attacks are launched from the client. To prohibit cookies from being inserted, go to the Mitigation Settings > General Policies > Protection for Website Services tab to disable the HTTP flood mitigation feature. If you disable the HTTP flood mitigation feature, Anti-DDoS Proxy cannot proactively identify and protect against HTTP flood attacks.

Prerequisites

A website service is added to Anti-DDoS Proxy. For more information, see Add websites.

Procedure

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select the region of your instance.

    • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

    • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.

  4. On the General Policies page, click the Protection for Website Services tab. In the left-side list of domain names, select a domain name.

  5. In the HTTP Flood Protection section, click Settings. On the page that appears, click Create Rule in the upper-right corner of the page. In the dialog box that appears, configure the parameters and click OK.

    Parameter

    Description

    Rule Name

    The name of the rule. The name can be up to 128 characters in length and can contain letters, digits, and underscores (_).

    Match Conditions

    The match condition of the rule. For more information, see Supported HTTP request headers.

    Note
    • You must configure the Field Value parameter. The value of the Field Value parameter for an accurate access control rule is case-sensitive. The value of the Field Value parameter for a frequency control rule is not case-sensitive.

    • You can configure up to five conditions. If multiple conditions are specified, a request hits the rule only when all conditions are met.

    Rate Limiting

    Specifies whether to enable verification based on rate limiting.

    • If the switch is turned off, the rule is an accurate access control rule.

    • If the switch is turned on, the rule is a frequency control rule. After you turn on the switch, you must configure the Statistical Object, Duration (Seconds), and Threshold (Occurrences) parameters. Valid values of the Statistics Object parameter: IP and Custom Header.

    Action

    The operation that is performed when a request meets the conditions. Valid values:

    • Allow: allows the request.

    • Allow: allows the request.

    • JavaScript Challenge: performs CAPTCHA verification to verify the source IP addresses of the requests that meet the conditions.

    Validity Period

    • If you turn off Rate Limiting, this parameter specifies the validity period of an accurate access control rule. Valid values: Permanent and Custom Valid Period. If you select Custom Valid Period, you must specify a value from 5 to 120 minutes.

      Note

      If you select Custom Valid Period, the rule is automatically deleted after the rule expires.

    • If you turn on Rate Limiting, this parameter specifies the validity period of a frequency control rule. Valid value: Custom Valid Period. You must specify a value from 1 to 1440 minutes.

    Advanced Settings

    If you turn on Rate Limiting, deduplication is supported when statistics are collected. You can select IP, Header, or URI for the Statistical Object parameter.

    • The deduplication mode is enabled: The following figure shows an example. If the same source IP address uses the same URI to access servers no less than 200 times in 30 seconds, access requests from the IP address are blocked. In this case, if the same source IP address uses the same URI to access servers multiple times, the number of accesses is counted as one. image

    • The deduplication mode is disabled: The following figure shows an example. If the same source IP address uses the same URI to access servers no less than 200 times in 30 seconds, access requests from the IP address are blocked. In this case, if the same source IP address uses the same URI to access servers 10 times, the number of accesses is counted as 10.

      image

  6. Go back to the HTTP Flood protection section, turn on Status.

Supported HTTP request headers

Field

Description

Logical operator

Example

IP

The source IP address of the request.

The value can be a single IP address or a CIDR block.

Belongs To and Does Not Belong To

10.10.10.10

URI

The request URI. Example: /action/member/id.php?id=1&td=2.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, and Length Greater Than

Note

If the logical character is Equal To or Not Equal To, the value must start with a forward slash (/).

/action/member/id.php?id=1&td=2

User-Agent

The browser information about the client that initiates the request. The information includes the browser identifier, rendering engine, and version.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, and Length Greater Than

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.XX.XX Safari/537.36

Cookie

The cookie in the request.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, Length Greater Than, and Does Not Exist

cna=Z87DHXX/jXIBASQBsYAimToU; sca=234ea940; yunpk=177699790****

Referer

The URL of the source page from which the request is redirected.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, Length Greater Than, and Does Not Exist

https://example.aliyundoc.com/

Content-Type

The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, and Length Greater Than

text/plain;charset=UTF-8

X-Forwarded-For

The originating IP address of the client that initiates the request. The originating IP address must be in the <client>, <proxy1>, <proxy2> format.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, Length Greater Than, and Does Not Exist

36.18.XX.XX,192.18.XX.XX

Content-Length

The number of bytes in the request.

Value Less Than, Value Equal To, and Value Greater Than

806

Post-Body

The content of the request.

Include, Not Include, Equal To, and Not Equal To

Content-Type: application/x-www-form-urlencoded

name=John&age=25&email=****

Http-Method

The request method. Valid values: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, and TRACE.

Equal To and Not Equal To

POST

Header

The request header that is used to specify custom HTTP header fields and values.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, Length Greater Than, and Does Not Exist

*text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/****

Params

The parameters in the request URL. The parameters follow the question mark (?) in the URL. For example, the URI example.aliyundoc.com/index.html? action=login contains a parameter action=login.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, and Length Greater Than

action=login

Raw-URI

The URI is not encoded and preserves the original sequence of characters. The Raw-URI field can contain special characters and spaces. However, the field must be encoded when the field is used. This ensures that no ambiguity or errors occur during transmission and parsing.

Include, Not Include, Equal To, Not Equal To, Length Less Than, Length Equal To, Length Greater Than, Regular Expression Match, Bytes Contain, and Bytes Equal

GET /images/logo.png HTTP/1.1

Tls-Fingerprint

The TLS fingerprint of the client that initiates the request. The fingerprint is identified and calculated by the self-developed algorithms of Alibaba Cloud. The fingerprint can be used for request matching and DDoS mitigation. You can use one of the following methods to view the fingerprint of the client:

  • On the Security Overview page, click the Domain Names tab. In the lower part of the page, view the value in the Client Fingerprint column.

  • On the Log Analysis page, search for the ssl_client_tls_fingerprinting_md5 field. You must activate Simple Log Service before you can use this method. For more information, see Use the Log Analysis feature.

Equal To and Not Equal To

74dcbf6b790160370bb6b7bea98d5978

Examples

  • Block specific requests

    In most cases, the root directory of a website does not receive POST requests. If an HTTP flood attack occurs, your website may receive a large number of POST requests that access the root directory. We recommend that you check whether these requests are normal. If the requests are suspicious, you can configure a rule to block the requests based on the following figure. image.png

  • Block web crawlers

    If your website receives a large number of crawler requests within a period of time, an HTTP flood attack may be initiated from bots that simulate crawlers. You can configure rules to block these requests. The following figure shows the sample configuration.

    image.png

  • Configure hotlink protection

    When a browser accesses a web page, the Referer field is used to notify the server of the page from which the request is linked. You can configure a Referer-based accurate access control rule to block hotlinking from a specific website. For example, if the website https://example.aliyundoc.com uses a large number of pictures from your website, you can configure a rule based on the following figure. image.png

  • Configure logon frequency limits

    For example, to prevent credential stuffing on a logon endpoint, you can configure the path of the logon endpoint and block IP addresses that send more than 20 requests to access the path within 60 seconds. image.png

  • Block illegal client fingerprints

    An attacker simulates a real client by forging a client fingerprint to attempt to establish a large number of connections or sending HTTP requests, causing your server to stop responding or refuse to provide services. In this case, you can reject the connection by checking and identifying the client fingerprint.

    For example, if an attacker uses the same script or tool to launch volumetric HTTP flood attacks, the number or proportion of requests that contain the same fingerprint surges. You can view the top Client Fingerprint on the Domain Names tab of the Security Overview page. Then, you can calculate the percentages of the top client fingerprints that are queried by using the ssl_client_tls_fingerprinting_md5 field on the Log Analysis page. This way, you can analyze requests, identify suspicious fingerprints, and configure mitigation policies at the earliest opportunity. image