Anti-DDoS Proxy provides DDoS mitigation policies for non-website services to protect against Layer 4 connection-oriented DDoS attacks. Each policy is configured per IP address and port and applies only to port forwarding rules. Configure request rate, packet length, and other parameters to match your business requirements.
Prerequisites
Add a non-website service to Anti-DDoS Proxy before you configure a mitigation policy. For more information, see Manage forwarding rules.
Feature overview
A DDoS mitigation policy supports the following features:
| Feature | Description | Restrictions |
|---|---|---|
| False Source | Verifies and filters DDoS attacks initiated from forged IP addresses. | TCP port forwarding rules only. |
| Advanced Attack Mitigation | Detects and mitigates DDoS attacks that rapidly send an excessively large number of abnormal packets after a TCP three-way handshake, typically from botnets like Mirai. | TCP port forwarding rules only. Requires False Source to be enabled. Only Anti-DDoS Pro instances that use IPv4 addresses can configure this feature. IPv6 instances cannot. |
| Packet Feature Filtering | Distinguishes normal service traffic from attack traffic by analyzing packet payloads. Supports access control rules based on application-layer protocols. | Only Anti-DDoS Proxy (Chinese Mainland) instances of the Enhanced function plan that use IPv4 addresses can configure this feature. |
| Whitelist | Allows access requests from whitelisted IP addresses to pass through without interception, on a per-port basis. | None. |
| Rate Limit for Source | Limits the data transfer rate per source IP address based on the instance IP address and port. Supports blacklist settings for repeat offenders. | None. |
| Speed Limit for Destination | Limits the data transfer rate per instance port based on the instance IP address and port. | None. |
| Packet Length Limit | Specifies the minimum and maximum packet payload lengths. Packets with invalid lengths are discarded. | None. |
Configure a policy for a single port forwarding rule
Log on to the General Policies page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Select the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Select the Outside Chinese Mainland region.
On the General Policies page, click the Protection for Non-website Services tab and select the Anti-DDoS Proxy instance to manage.
In the list on the left, click the forwarding rule to configure.
Configure the protection features described in the following sections.
False Source
Enable False Source to block requests from forged IP addresses. This feature applies only to TCP port forwarding rules.
| Parameter | Description |
|---|---|
| False Source | Turn on to block requests from forged IP addresses. When False Source is disabled, Empty Connection and Advanced Attack Mitigation are also disabled. |
| Empty Connection | Turn on to block requests that attempt to establish null sessions. False Source must be enabled first. |
Advanced Attack Mitigation
This feature applies only to TCP port forwarding rules. False Source must be enabled first. The default protection mode is Normal.
| Protection mode | Effect | Recommended scenario |
|---|---|---|
| Loose | Blocks requests with obvious attack characteristics. A small number of attacks may pass through, but the false positive rate is low. | Large-scale one-way data transmission such as live streaming, streaming media, and data downloads. Services that require high bandwidth on origin servers. |
| Normal (recommended) | Balances protection effectiveness and low false positive rates without affecting most workloads. | Most scenarios. |
| Strict | Enforces strict attack verification. May cause false positives in some cases. | Origin server has limited bandwidth or the protection effect is weak. |
Packet Feature Filtering
Configure precise access control rules based on packet payloads. If a single rule contains multiple match conditions, all conditions must be satisfied to trigger the action.
| Parameter | Description |
|---|---|
| Rule Name | Name the rule for identification. |
| Match Conditions | Define the packet payload format. Select String or Hexadecimal. |
| Match Range | Specify the start and end positions for payload matching. Valid range: 0 to 1499 bytes. The start position must not exceed the end position. |
| Logical Operator | Select Include or Not Include. |
| Field Value | For String: content length must not exceed 1500 bytes and must fall within the start and end positions. For Hexadecimal: content must consist of hexadecimal characters, must not exceed 3000 characters, must be an even number of characters, and must fall within the specified range. |
| Action | Monitor: permits the matching request. Block: rejects the matching request. Block and Add to Blacklist: rejects the request and adds the source IP to the blacklist. Blacklist duration: 300 to 600 seconds. |
Whitelist
Add IP addresses or CIDR blocks to the whitelist to allow access requests from those addresses to pass through without interception. A maximum of 2,000 IPs or CIDR blocks can be added per whitelist.
The following restrictions apply:
Anti-DDoS Proxy instances support both IPv4 and IPv6 addresses.
IPv4 CIDR blocks: /8 to /32. IPv6 CIDR blocks: /32 to /128.
IPv4 addresses cannot be
0.0.0.0or255.255.255.255. IPv6 addresses cannot be::orffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.
Rate Limit for Source
Limit the data transfer rate per source IP address based on the instance IP address and port. When access requests from a source IP exceed the configured limit, excess traffic from that IP is dropped. Traffic from other source IPs that remain within their limits is not affected.
| Parameter | Valid values | Description |
|---|---|---|
| New Connections Limit for Source | 1 to 50,000 | Maximum new connections per second from a single IP. Select Automatic (Anti-DDoS Proxy calculates the limit dynamically) or Manual (specify the value manually). |
| Concurrent Connections Limit for Source | 1 to 50,000 | Maximum concurrent connections from a single IP. Excess concurrent connections are dropped. |
| PPS Limit for Source | 1 to 100,000 | Maximum packets per second from a single IP. Excess packets are dropped. |
| Bandwidth Limit for Source | 1,024 to 268,435,456 bytes/s | Maximum bandwidth from a single IP. |
Blacklist settings
Each rate limit parameter supports blacklist settings:
Select the corresponding checkbox to add a source IP to the blacklist when it exceeds the limit five times within 60 seconds. All requests from blacklisted IPs are dropped.
Configure the Blacklist Validity Period to specify how long the IP remains blacklisted. Valid values: 1 to 10,080 minutes. Default: 30 minutes. The IP is automatically removed from the blacklist when the validity period ends.
Speed Limit for Destination
Limit the data transfer rate per instance port. When the transfer rate on a port exceeds the configured limit, excess traffic on that port is dropped. Other ports are not affected.
Default values differ between TCP and UDP port forwarding rules.
TCP port forwarding rules
| Parameter | Valid values | Default | Can be disabled? |
|---|---|---|---|
| New Connections Limit for Destination | 100 to 100,000 | 100,000 (enabled by default) | No. Disabling resets the value to 100,000. |
| Concurrent Connections Limit for Destination | 1,000 to 2,000,000 | 2,000,000 (enabled by default) | No. Disabling resets the value to 2,000,000. |
UDP port forwarding rules
| Parameter | Valid values | Default | Can be disabled? |
|---|---|---|---|
| New Connections Limit for Destination | 100 to 50,000 | Disabled by default | Yes |
| Concurrent Connections Limit for Destination | 1,000 to 200,000 | 200,000 (enabled by default) | No. Disabling resets the value to 200,000. |
Packet Length Limit
In the Packet Length Limit section, click Settings. Specify the minimum and maximum payload lengths for packets and click OK. Valid values: 0 to 1,500 bytes.
Configure a policy for multiple port forwarding rules at a time
Use batch configuration to apply a DDoS mitigation policy to multiple port forwarding rules simultaneously.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Select the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Select the Outside Chinese Mainland region.
In the left-side navigation pane, choose Provisioning > Port Config.
On the Port Config page, select the instance to manage and choose Batch Operations > Create Mitigation Policy below the rule list.
In the Create Mitigation Policy dialog box, enter the DDoS mitigation policy content in the required format and click OK.
Batch format requirements
Enter one policy per row, corresponding to one port forwarding rule.
The forwarding port must match a port specified in an existing forwarding rule.
Separate fields with spaces. The fields from left to right are:
| Position | Field | Valid values |
|---|---|---|
| 1 | Forwarding port | Port number from an existing forwarding rule |
| 2 | Forwarding protocol | tcp or udp |
| 3 | New connections limit for source | Numeric value |
| 4 | Concurrent connections limit for source | Numeric value |
| 5 | New connections limit for destination | Numeric value |
| 6 | Concurrent connections limit for destination | Numeric value |
| 7 | Minimum packet length | Numeric value |
| 8 | Maximum packet length | Numeric value |
| 9 | False source | on or off |
| 10 | Empty connection | on or off |