If the response time of your website increases due to DDoS attacks, you can enable the rate limiting feature. Rate limiting allows CDN edge nodes to identify IP addresses that frequently send requests to your website and block malicious requests. This reinforces website security.

Submit an application

You must apply for the rate limiting feature before you can use this feature. To apply for this feature, you can join one of the following DingTalk groups:
  • Group 1: 23184221. No more members can be added to the group.
  • Group 2: 33298914. No more members can be added to the group.
  • Group 3: 33137775. No more members can be added to the group.
  • Group 4: 41552166.

Enable rate limiting

  1. Log on to the Alibaba Cloud CDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.
  4. In the left-side management pane of the domain name, click Security Settings.
  5. Click the Rate Limiting tab.
  6. Turn on Rate Limiting.
  7. In the Rate Limiting dialog box, enable Parameter Check and set Control Mode.
    Configure rate limiting
    Parameter Description
    Parameter Check After the parameter check feature is enabled, the rate limiting feature compares the specified URIs that have all parameters retained with requests. The parameter check feature checks only URIs. Custom match rules that are set for the custom rate limiting mode do not apply to the parameter check feature.
    Note Parameter check takes effect only in custom rate limiting rules.
    Control Mode You can select one of the following modes:
    • Normal

      The default rate limiting mode. Select this mode to prevent false positives if the network traffic of your website is within the expected range.

    • Emergency

      Select this mode if your website responds slowly and exceptions are detected in network traffic, CPU usage, memory usage, or other performance indicators.

    • Custom

      Select this mode if you want to customize rate limiting rules based on your business requirements. This mode detects requests frequently sent from IP addresses, and mitigates HTTP flood attacks on edge nodes. For more information about how to add a custom rule, see Add a custom rate limiting rule.

  8. Click OK.

Add a custom rate limiting rule

Notice
  • When you set Control Mode to Custom, you must add a custom rate limiting rule. Other control modes do not require custom rate limiting rules.
  • You can add a maximum of five custom rate limiting rules.
  1. Click Add Rule on the right side of Custom Rules.
  2. Follow the instructions to add a custom rule. The following table describes the parameters.
    Parameters used to add a custom rule
    Parameter Description
    Rule Name
    • The name must be 4 to 30 characters in length, and can contain letters and digits.
    • The names of rules that are set for the same accelerated domain name must be unique.
    URI Enter the URI that you want to protect, for example, /register. If the URI contains parameters, for example, /user?action=login, you must enable the parameter check feature.
    Matching Mode You can select one of the following match rules. The rate limiting rule applies the match rules in the following order: exact match, prefix match, and fuzzy match. You can adjust the priorities of the match rules in a rate limiting rule. The match rules are listed and executed based on their priorities.
    • Exact Match

      In this mode, requests are counted only if the request URI exactly matches the specified URI.

    • Prefix Match

      In this mode, requests are counted if the request URI starts with the specified URI. For example, if the URI is set to /register, requests that are sent to /register.html are counted.

    • Fuzzy Match
      In this mode, requests are counted if the request URI matches the specified regular expression. You can use periods (.) and asterisks (*) as wildcard characters.
      • A period (.) specifies that the rate limiting rule compares each individual character.
      • An asterisk (*) specifies that the rate limiting rule considers the request a match if any character matches the specified regular expression.
    Monitored Object You can select one of the following types of object:
    • Source IP
    • Header
    • Domain
    • URL Parameter
    Interval Set a time period during which request are counted. This parameter takes effect only if you specify a monitored object. The time period must be 10 seconds to 600 seconds.
    Match Criteria Click Add Criteria and set the following parameters: Type, Parameter, Logical Operator, and Value.
    Note The number of requests that match the specified rule is counted on each edge node. It may take some time to trigger the rate liming rule. You can send more requests to the edge nodes to trigger the rule.
    Action Specify an action to be performed after a request matches the specified match rule. You can select Block or Bot Detection.
    • Block

      If this action is triggered, the HTTP 403 status code is returned to the request.

    • Bot Detection

      If this action is triggered, the HTTP 200 status code is returned to the request and the request is redirected for verification. The request is allowed to access the requested resources only if it passes the verification.

      For example, if an IP address initiates more than five requests within 20 seconds, bot detection is triggered. All requests from the IP address within the following 10 minutes are verified. Requests from this IP address are allowed to access resources only if the requests pass human-machine identification.

    TTL Specify the time period that IP addresses remain blocked. The time period must be at least 60 seconds.
  3. Click OK.

Examples

The following table lists some configuration examples.
Scenario Monitored object Interval Match Criteria Action TTL Expected result
4xx or 5xx errors IP 10 seconds "status_ratio|404">60%&&"count">50 Block 10 minutes If the percentage of the HTTP 404 status code among all HTTP status codes returned to the IP address reaches 60%, and the IP address initiates at least 50 requests, the IP address is blocked for 10 minutes. All requests from the IP address receive the HTTP 403 status code.
Queries per second (QPS) anomalies Domain name 10 seconds "count">N
Note Specify a value for N based on your business requirements.
Bot Detection 10 minutes If the number of requests that are sent to the domain name reaches the value of N, bot deletion is triggered. Within the next 10 minutes, all requests sent to the domain name are verified. Requests are not allowed to access the domain name only if the requests pass human-machine identification.

Related API operations

DescribeDomainCcActivityLog: queries log entries of rate limiting.