Create an anti-DDoS protection policy

This topic describes how to create anti-DDoS protection policies. Both Anti-DDoS Pro and Anti-DDoS Premium allow you to create the following anti-DDoS protection policies to protect non-website services against Layer 4 DDoS attacks: False Source, Empty Connection, Speed Limit for Source, and Speed Limit for Destination. You can create an anti-DDoS protection policy for a specific port forwarding rule. This is applicable after you create port forwarding rules for an Anti-DDoS Pro or Anti-DDoS Premium instance and associate a non-website service with the instance. You can also create anti-DDoS protection policies for multiple port forwarding rules at a time.

Prerequisites

A port forwarding rule for a non-website service is configured on the Port Config page. For more information, see Configure port forwarding rules.

Background information

Important

In the top navigation bar of the Anti-DDoS Pro or Anti-DDoS Premium console, you can select the Chinese Mainland or Outside Chinese Mainland region to switch between the Anti-DDoS Pro and Anti-DDoS Premium consoles. Then, you can configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances based on your business requirements. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.

For non-website services, anti-DDoS protection policies are configured based on IP addresses and ports. To mitigate connection-oriented DDoS attacks, you can set the request rate, packet length, and other parameters as required. Anti-DDoS protection settings only apply to ports.

Both Anti-DDoS Pro and Anti-DDoS Premium allow you to create the following types of anti-DDoS protection policies for non-website services:

False Source: verifies and filters DDoS attacks initiated from forged IP addresses.
Speed Limit for Destination: The data transfer rate of the port that exceeds the maximum visit frequency is limited based on the IP address and port of your Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of other ports are not limited.
Packet Length Limit: specifies the minimum and maximum lengths of packets that are allowed to pass through. Packets with invalid lengths are dropped.
Speed Limit for Source: The data transfer rate of a source IP address that exceeds the maximum visit frequency is limited based on the IP address and port of your Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of other source IP addresses are not limited. This policy also supports the IP address blacklist policy. An IP address from which access requests exceed the maximum visit frequency five times within 60 seconds can be added to a blacklist. You can also specify the blocking period.

The following procedure shows how to create an anti-DDoS protection policy for a specific port forwarding rule. You can also create anti-DDoS protection policies for multiple port forwarding rules at a time. For more information, see Create anti-DDoS protection policies for multiple port forwarding rules at a time.

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your asset.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the General Policies page, click the Protection for Non-website Services tab. On the tab that appears, select the target instance from the Select Instance drop-down list.
Select the forwarding rule for which you want to create a policy from the list on the left side.

Configure settings in the False Source, Speed Limit for Destination, Packet Length Limit, and Speed Limit for Source sections.

False Source: In the False Source section, turn on or off False Source or Empty Connection.

Parameter	Description
False Source	Turn on this switch to block requests from forged IP addresses. After you turn on the switch, Anti-DDoS Pro or Anti-DDoS Premium automatically filters requests initiated from forged IP addresses. Note This policy only applies to TCP rules.
Empty Connection	Turn on this switch to block requests that attempt to establish null sessions. After you turn on the switch, Anti-DDoS Pro or Anti-DDoS Premium automatically filters requests that attempt to establish null sessions. Note This policy only applies to TCP rules. To enable this policy, you must first enable the False Source policy.

Speed Limit for Destination: In the Speed Limit for Destination section, click Change Settings. In the Change Settings dialog box, specify the required parameters and then click OK.

Parameter	Description
Destination New Connection Rate Limit	This parameter specifies the maximum number of new connections per second that can be established on an Anti-DDoS Pro or Anti-DDoS Premium port. The value ranges from 100 to 100000. Requests sent to the port after the upper limit is reached are dropped. Note The limit on new connections may be slightly different from actual scenarios because scrubbing nodes are deployed in clusters.
Destination Concurrent Connection Rate Limit	This parameter specifies the maximum number of concurrent connections that can be established on an Anti-DDoS Pro or Anti-DDoS Premium port. The value ranges from 1000 to 1000000. Requests sent to the port after the upper limit is reached are dropped.

Packet Length Limit: In the Packet Length Limit section, click Change Settings. In the Change Settings dialog box, set the minimum and maximum lengths of the payload contained in a packet and then click OK. The value ranges from 0 to 6000. Unit: bytes.

Speed Limit for Source: In the Speed Limit for Source section, click Change Settings. In the Configure Speed Limit for Source pane, specify the required parameters and then click OK.

Parameter	Description
Source New Connection Rate Limit	This parameter specifies the maximum number of new connections per second that can be initiated from a single IP address. The value ranges from 1 to 50000. Requests initiated from the IP address after the upper limit is reached are dropped. This policy supports Automatic and Manual modes. If you select Automatic, Anti-DDoS Pro or Anti-DDoS Premium dynamically calculates the maximum number of new connections per second that can be initiated from a single source IP address. If you select Manual, you need to manually specify the maximum number of new connections per second that can be initiated from a single source IP address. Note The limit on new connections may be slightly different from actual scenarios because scrubbing nodes are deployed in clusters. Blacklist policy If you select the When the number of new connections from a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
Source Concurrent Connection Rate Limit	This parameter specifies the maximum number of concurrent connections that can be initiated from a single IP address. The value ranges from 1 to 50000. Requests initiated from the IP address after the upper limit is reached are dropped. Blacklist policy If you select the When the number of concurrent connections from a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
PPS Limit for Source	This parameter specifies the maximum number of packets per second that can be allowed from a single IP address. The value ranges from 1 to 100000. Unit: packet/s. Packets initiated from the IP address after the upper limit is reached are dropped. Blacklist policy If you select the When the source packets per second (PPS) of a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
Bandwidth Limit for Source	This parameter specifies the maximum bandwidth of a single IP address. The value ranges from 1024 to 268435456. Unit: bytes/s. Blacklist policy If you select the When the source bandwidth of a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist policy, you must set Validity Period for Blacklist. The value ranges from 1 to 10080. The default value is 30. Unit: minutes. An IP address added to a blacklist is removed from the blacklist when the validity period ends.

Create anti-DDoS protection policies for multiple port forwarding rules at a time

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your asset.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Provisioning > Port Config.
On the Port Config page, select the target instance, click Batch Operations below the rule list, and select Create Mitigation Policy.
In the Create Mitigation Policy dialog box, follow the required formats to enter the content of anti-DDoS protection policies and then click OK.
The following section describes the formats of anti-DDoS protection policies.
Note
You can also export anti-DDoS protection policies to a TXT file, modify the content in the TXT file, and then copy and paste the modified content to the target fields. The formats of anti-DDoS protection policies in the exported file must be the same as those of the policies that you want to create. For more information, see Export multiple port configurations.
- Enter one policy in each row.
- Each anti-DDoS protection policy must contain the following fields from left to right: forwarding port, forwarding protocol, source new connection rate limit, source concurrent connection rate limit, destination new connection rate limit, destination concurrent connection rate limit, minimum packet length, maximum packet length, false source status, and empty connection status. The forwarding protocol can be TCP or UDP. For more information about the fields and valid values, see Parameters and descriptions of anti-DDoS protection policies. Fields are separated with spaces.
- The forwarding port must be a port specified in a forwarding rule.
- The valid values of both False Source and Empty Connection are on and off. If any of these parameters is not set, the switch is turned off.