ModifyPolicy - Anti-DDoS - Alibaba Cloud Documentation Center

Modifies an existing mitigation policy.

Operation description

Modifies a mitigation policy.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-antiddosbag:ModifyPolicy

update

*Policy

acs:yundun-antiddosbag:{#regionId}:{#accountId}:policy/{#PolicyId}

None

Request parameters

Parameter	Type	Required	Description	Example
Id	string	Yes	The ID of the policy.	c52c2fa6-fdac-40c4-8753-be7c********
ActionType	integer	Yes	The type of action. Valid values: 10: Modify the name. The `Name` parameter is required. 11: Modify the expiration time of the blacklist. The `BlackIpListExpireAt` parameter is required. This action is supported only for mitigation policies for IP addresses. 12: Modify the switch that adds the origin URLs of Anti-DDoS Pro or Anti-DDoS Premium instances to the whitelist. The `WhitenGfbrNets` parameter is required. This action is supported only for mitigation policies for IP addresses. 13: Modify the switch that disables the ICMP protocol. The `EnableDropIcmp` parameter is required. This action is supported only for mitigation policies for IP addresses. 20: Add IP addresses to the IP address whitelist or blacklist. The `WhiteIpList` and `BlackIpList` parameters are optional. This action is supported only for mitigation policies for IP addresses. 21: Remove IP addresses from the IP address whitelist or blacklist. The `WhiteIpList` and `BlackIpList` parameters are optional. This action is supported only for mitigation policies for IP addresses. 22: Clear the IP address whitelist. This action is supported only for mitigation policies for IP addresses. 23: Clear the IP address blacklist. This action is supported only for mitigation policies for IP addresses. 30: Modify the AI-powered protection switch and level. The `EnableIntelligence` and `IntelligenceLevel` parameters are required. This action is supported only for mitigation policies for IP addresses. 31: Modify the Location Blacklist settings. The `RegionBlockCountryList` and `RegionBlockProvinceList` parameters are optional. This action is supported only for mitigation policies for IP addresses. 32: Modify the Source Rate Limiting settings. The `SourceLimit` and `SourceBlockList` parameters are required. This action is supported only for mitigation policies for IP addresses. 33: Modify the reflection attack port filter. The `ReflectBlockUdpPortList` parameter is required. This action is supported only for mitigation policies for IP addresses. 40: Create a Port Blocking rule. The `PortRuleList` parameter is required. This action is supported only for mitigation policies for IP addresses. 41: Modify a Port Blocking rule. The `PortRuleList` parameter is required. This action is supported only for mitigation policies for IP addresses. 42: Delete a Port Blocking rule. The `PortRuleList` parameter is required. This action is supported only for mitigation policies for IP addresses. 50: Create a Byte-Match Filter rule. The `FingerPrintRuleList` parameter is required. This action is supported only for mitigation policies for IP addresses. 51: Modify a Byte-Match Filter rule. The `FingerPrintRuleList` parameter is required. This action is supported only for mitigation policies for IP addresses. 52: Delete a Byte-Match Filter rule. The `FingerPrintRuleList` parameter is required. This action is supported only for mitigation policies for IP addresses. 60: Modify the port-specific mitigation switch. The `EnableL4Defense` parameter is required. This action is supported only for port-specific mitigation policies. 61: Create a port-specific mitigation rule. The `L4RuleList` parameter is required. This action is supported only for port-specific mitigation policies. 62: Modify a port-specific mitigation rule. The `L4RuleList` parameter is required. This action is supported only for port-specific mitigation policies. 63: Delete a port-specific mitigation rule. The `L4RuleList` parameter is required. This action is supported only for port-specific mitigation policies.	11
Name	string	No	The name of the policy.	demo**
Content	object	No	The content of the policy.
BlackIpListExpireAt	integer	No	The time when the IP address blacklist expires. This value is a UNIX timestamp.	1716878000
EnableIntelligence	boolean	No	Specifies whether to enable AI-powered protection.	true
IntelligenceLevel	string	No	The protection level of AI-powered protection. Valid values: default: Normal hard: Strict weak: Loose	default
WhitenGfbrNets	boolean	No	Specifies whether to add the origin URLs of Anti-DDoS Pro (the Chinese mainland) and Anti-DDoS Premium (outside the Chinese mainland) to the whitelist.	false
EnableDropIcmp	boolean	No	Specifies whether to disable the ICMP protocol.	true
RegionBlockCountryList	array	No	The list of country codes for the Location Blacklist.
	integer	No	The country code for the Location Blacklist.	11
RegionBlockProvinceList	array	No	The list of province codes for the Location Blacklist.
	integer	No	The province code for the Location Blacklist.	2
SourceLimit	object	No	The Source Rate Limiting settings.
Pps	integer	No	The rate limit for source PPS. Unit: packets per second.	64
Bps	integer	No	The rate limit for source bandwidth. Unit: bytes per second.	2048
SynPps	integer	No	The rate limit for source SYN PPS. Unit: packets per second.	64
SynBps	integer	No	The rate limit for source SYN bandwidth. Unit: bytes per second.	2048
SourceBlockList	array<object>	No	The list of source IP addresses to add to the blacklist for Source Rate Limiting.
	object	No	The list of source IP addresses to add to the blacklist for Source Rate Limiting.
Type	integer	Yes	The type of Source Rate Limiting. Valid values: 3: PPS-based rate limiting 4: bandwidth-based rate limiting 5: SYN PPS-based rate limiting 6: SYN bandwidth-based rate limiting	3
BlockExpireSeconds	integer	Yes	The duration for which a source IP address is added to the blacklist. Unit: seconds.	120
EverySeconds	integer	Yes	The statistical period for adding a source IP address to the blacklist. Unit: seconds.	60
ExceedLimitTimes	integer	Yes	The number of times a source IP address exceeds the rate limit within a statistical period.	5
ReflectBlockUdpPortList	array	No	The list of ports to filter for reflection attack protection.
	integer	No	The port to filter for reflection attack protection. Note Only UDP is supported.	123
PortRuleList	array<object>	No	The list of Port Blocking rules.
	object	No	The list of Port Blocking rules.
Id	string	No	The rule ID.	c52c2fa6-fdac-40c4-8753-be7c*********
Protocol	string	Yes	The protocol type. Valid values: tcp: Transmission Control Protocol (TCP) udp: User Datagram Protocol (UDP)	tcp
SrcPortStart	integer	Yes	The start of the source port range. Valid values: 0 to 65535.	0
SrcPortEnd	integer	Yes	The end of the source port range. Valid values: 0 to 65535.	65535
DstPortStart	integer	Yes	The start of the destination port range. Valid values: 0 to 65535.	0
DstPortEnd	integer	Yes	The end of the destination port range. Valid values: 0 to 65535.	65535
MatchAction	string	Yes	The action to take upon a match. Valid values: drop: Drop the packet.	drop
SeqNo	integer	Yes	The priority of the rule. The value is an integer. Note A smaller value indicates a higher priority.	1
FingerPrintRuleList	array<object>	No	The list of Byte-Match Filter rules.
	object	No	The list of Byte-Match Filter rules.
Id	string	No	The rule ID.	5fbe941f-a0cf-4a49-9c7c-8fac********
Protocol	string	Yes	The protocol type. Valid values: tcp: TCP udp: UDP	udp
SrcPortStart	integer	Yes	The start of the source port range. Valid values: 0 to 65535.	0
SrcPortEnd	integer	Yes	The end of the source port range. Valid values: 0 to 65535.	65535
DstPortStart	integer	Yes	The start of the destination port range. Valid values: 0 to 65535.	0
DstPortEnd	integer	Yes	The end of the destination port range. Valid values: 0 to 65535.	65535
MinPktLen	integer	Yes	The minimum packet length. Valid values: 1 to 1500.	1
MaxPktLen	integer	Yes	The maximum packet length. Valid values: 1 to 1500.	1500
Offset	integer	No	The offset. Valid values: 0 to 1500.	0
PayloadBytes	string	No	The payload to detect. The value is a hexadecimal string.	abcd
MatchAction	string	Yes	The action to take upon a match. Valid values: accept: Allow traffic that matches the fingerprint. drop: Drop traffic that matches the fingerprint. ip_rate: Limit the access rate for the source IP address of traffic that matches the fingerprint. Set the rate limit using the RateValue parameter. session_rate: Limit the access rate for the source session of traffic that matches the fingerprint. Set the rate limit using the RateValue parameter.	drop
RateValue	integer	No	The rate limit. Valid values: 1 to 100000. Note This parameter is required when MatchAction is set to ip_rate or session_rate.	100
SeqNo	integer	Yes	The priority of the rule. The value is an integer. Note A smaller value indicates a higher priority.	1
EnableL4Defense	boolean	No	Specifies whether to enable port-specific mitigation.	true
L4RuleList	array<object>	No	The list of port-specific mitigation rules.
	array<object>	No	The list of port-specific mitigation rules.
Name	string	Yes	The name of the rule.	test****
Priority	integer	No	The priority of the rule. Valid values: 1 to 100. Note A smaller value indicates a higher priority.	1
Method	string	No	The rule type. Valid values: char: string match hex: hexadecimal match	char
Match	string	No	The logical operator. Valid values: 0: Take the action when a match is found. 1: Take the action when no match is found.	0
Action	string	No	The action. Valid values: 2: Drop the packet.	2
Limited	integer	No	The minimum number of bytes in a session stream to trigger rule matching. Valid values: 0 to 2048	0
ConditionList	array<object>	No	The list of detection conditions.
	array<object>	No	The list of detection conditions.
Arg	string	No	The content to detect. Note If the rule type is char, the value must be an ASCII string. If the rule type is hex, the value must be a hexadecimal string. The maximum length is 2048 characters.	abcd
Position	integer	No	The start position for detection. Valid values: 0 to 2047.	0
Depth	integer	No	The length of the detection window. Valid values: 1 to 2048.	1200
Encode	string	No	The character type. Valid values: str: string hex: hexadecimal	str
Pattern	string	No	The matching pattern. The valid values depend on the value of the Encode parameter. If Encode is set to str, valid values are: contain: contains not_contain: does not contain regex: regular expression If Encode is set to hex, valid values are: contain: contains not_contain: does not contain	contain
Content	string	No	The requirements for this parameter depend on the value of the Encode parameter. If Encode is set to str, the value must follow these rules: If `Encode` is set to `str`: If `Encode` is set to `hex`: If Encode is set to hex, the value must meet the following requirements: Content must be a hexadecimal string. The length of Content must be an even number. The length of Content must be 3000 characters or fewer. The value of (End - Start + 1) must be greater than or equal to half the length of Content.	test**
Offset	object	No	The matching range.
Start	integer	No	The start position. Valid values: 0 to 1499.	0
End	integer	No	The end position. Valid values: 0 to 1499. Note The value of this parameter must be greater than or equal to the value of the Start parameter.	1499
WhiteIpList	array	No	The list of IP addresses in the whitelist.
	string	No	The IP address in the whitelist.	1.1.1.*
BlackIpList	array	No	The list of IP addresses in the blacklist.
	string	No	The IP address in the blacklist.	2.2.2.*
PortVersion	string	No	The version of the port-specific mitigation policy. Valid values: If this parameter is not specified, the policy of the default Surf protection engine is modified. 2: Modifies the policy of the new Stream protection engine. Note This parameter is supported only for port-specific mitigation policies.	2

Response elements

Element	Type	Description	Example
	object	The response parameters.
RequestId	string	The ID of the request.	B4B379C2-9319-4C6B-B579-FE36831****

Examples

Success response

JSON format

{
  "RequestId": "B4B379C2-9319-4C6B-B579-FE36831****"
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.