Anti-DDoS:IP-specific mitigation policy

Usage notes

• A regular Alibaba Cloud service supports only IP-specific mitigation policies, not port-specific ones. An EIP with Anti-DDoS (Enhanced) supports both. If you configure both, the IP-specific mitigation policy takes precedence.

• Each public IP asset can be associated with only one IP-specific mitigation policy.

• Anti-DDoS Origin uses custom mitigation policies to intercept traffic. Blocked traffic is still included in attack traffic statistics.

Before you begin

• For a regular Alibaba Cloud service: You must add the public IP asset as a protected asset, regardless of whether you use Anti-DDoS Origin 1.0, 2.0, or the pay-as-you-go version. For more information, see Protected assets.

• For an EIP with Anti-DDoS (Enhanced): After you purchase the service, Anti-DDoS Origin automatically adds the EIP as a protected asset. No manual action is required.

Procedure

1. Go to the Mitigation Settings page of the Traffic Security console.

2. Click Create Policy, enter a Policy Name, select IP-specific Mitigation Policy as the policy type, and then click OK.

3. In the The policy is created. dialog box, click OK. Configure the mitigation rules, and then click Next.

   Important

   • Rule priority: Some rules take effect only during an attack, as detailed in the table below.

     • For a regular Alibaba Cloud service: blacklist > ICMP Blocking > whitelist > Location Blacklist > Port Blocking > Byte-Match Filter.

     • For an EIP with Anti-DDoS (Enhanced): blacklist > ICMP Blocking > whitelist > Port Blocking > Byte-Match Filter > Reflection Attack Filtering > Source Rate Limiting.

   • Effective period: All rules are permanently effective, except for the blacklist rule, for which you must set an effective period.

   Rule	Description	Regular service	Enhanced EIP	Notes
   Intelligent Protection	A big data analytics engine learns your service traffic baseline and adaptively protects against DDoS attacks on the network and transport layers.	Not supported	Supported	Important This feature is enabled by default at the Normal protection level after you create the policy template. The engine requires approximately three days of traffic training to achieve optimal protection. Using historical service data and expert-driven algorithms, each protection level works as follows: Loose: Protects against malicious IP addresses with obvious attack characteristics. This level may miss some attacks but has a low false positive rate. Normal: Protects against both obvious and suspected malicious IP addresses. This level balances protection effectiveness and false positive rates. Strict: Provides strong protection against attacks but may have a higher probability of false positives.
   ICMP Blocking	During traffic scrubbing, the system discards ICMP traffic to filter ICMP attacks and reduce the risk of server scanning.	Supported Takes effect during attacks	Supported For services in the Chinese mainland: Always-on. For services outside the Chinese mainland: Takes effect during attacks in China (Hong Kong) and US (Virginia); Always-on in other regions.	ICMP Blocking also applies to whitelisted IP addresses, meaning their ICMP traffic is discarded even if they are on the whitelist. Important If you enable this feature, ping commands will not receive responses. Disable this feature before you perform network diagnostics and maintenance.
   Blacklist and Whitelist	Create rules to filter or allow traffic from specified source IP addresses. Important If the volume of traffic allowed by the whitelist is excessively large, the traffic may still trigger the default destination IP rate limiting policy of Anti-DDoS Origin due to service specifications and cloud platform protection mechanisms.	Supported Takes effect during attacks	Supported Always-on	When you add IP addresses to a blacklist, you must set an expiration time from 1 to 10,080 minutes. The setting applies to all IP addresses in the current blacklist. You can add up to 2,000 IP addresses to a blacklist and a whitelist, respectively.
   Location Blacklist	Blocks access requests from specified geographical regions. After you enable this feature, the system discards all traffic from the blocked regions.	Supported Takes effect during attacks	Supported Always-on	You can block traffic by region or country.
   Port Blocking	For the UDP or TCP protocol, you can create rules to filter traffic by source or destination port. This allows you to directly discard traffic from the specified protocol and corresponding ports, and helps filter UDP reflection attacks.	Supported Takes effect during attacks	Supported For services in the Chinese mainland: Always-on. For services outside the Chinese mainland: Takes effect during attacks in China (Hong Kong) and US (Virginia); Always-on in other regions.	You can create up to eight rules. Important We recommend that you use the following configurations based on your business scenario to improve protection: If the protected asset has only TCP services (no UDP services), we recommend that you block all UDP source ports. If you add UDP services later, you must promptly adjust the protection policy. If the protected asset has UDP services, we recommend that you block common UDP reflection source ports, including 1 to 52, 54 to 161, 389, 1900, and 11211.
   Source Rate Limiting	Limits the rate of access from source IP addresses that exceed a specified threshold.	Not supported	Supported Always-on	Supports Source PPS, Source Bandwidth, PPS of Source SYN Packets, and Bandwidth of Source SYN Packets. After you set a rate limit, you can also configure the system to add a source IP address to the blacklist if it exceeds the limit five times within 60 seconds. The system then discards all access requests from that IP address.
   Reflection Attack Filtering	This rule applies only to UDP traffic. When processing UDP traffic, the system directly discards traffic from the UDP reflection source ports that you specify.	Not supported	Supported Always-on	Provides One-click Filtering Policy and Custom Filtering Policy. One-click Filtering Policy: Lists common UDP reflection attacks. If your service does not involve these UDP source ports, we recommend that you block all of them. Custom Filtering Policy: Specify custom reflection source ports. You can specify up to 20 ports. The ports cannot be the same as those in the One-click Filtering Policy.
   Byte-Match Filter	Malicious packets from attack tools often have common characteristics. This feature matches the content at a specified position in a data packet and then filters, allows, or rate-limits the traffic based on the match result.	Supported Takes effect during attacks	Supported For services in the Chinese mainland: Always-on. For services outside the Chinese mainland: Takes effect during attacks in China (Hong Kong) and US (Virginia); Always-on in other regions.	Configuration guide: Protocol: TCP or UDP. Source Port Range: The source port range. Valid values: 0 to 65535. Destination Port Range: The destination port range. Valid values: 0 to 65535. Packet Length Range: The length range of an IP data packet. Valid values: 1 to 1500. Unit: bytes. Offset: The offset of the payload after the UDP or TCP header. Valid values: 0 to 1500. Unit: bytes. If you set the offset to 0, matching starts from the first byte of the payload. Payload: The payload content to match. Enter a hexadecimal string of 1 to 15 bytes in length. Do not include the 0x prefix. For example, to match 0xad, enter ad. Action: The action to take on traffic that matches the characteristics. Valid values: Pass, Discard, Limit Bandwidth of Source IP Address, and Limit Bandwidth of Session. If you select Limit Bandwidth of Source IP Address or Limit Bandwidth of Session, you must set a rate limit. Valid values: 1 to 100,000. Unit: pps.
   Add Back-to-origin CIDR Blocks of Anti-DDoS Proxy to Whitelist	Adds the back-to-origin IP addresses of Anti-DDoS Proxy to the access control policy whitelist of your cloud service.	Not supported	Supported	When you protect an EIP with Anti-DDoS (Enhanced), traffic routes through the Anti-DDoS Proxy traffic scrubbing center before reaching your origin server. We strongly recommend enabling this feature to prevent the system from blocking legitimate traffic.

4. In the Protected Assets list, in the Objects to Select area, select a Protected instance.

5. Select the Asset IP Address that you want to protect. Then, in the Port/Protocol area, select the specific ports to protect.

6. After you complete the configuration, click Add.

Related operations

• Modify an IP-specific mitigation policy template: On the Mitigation Settings page, select IP-specific Mitigation Policy from the drop-down list in the upper-left corner. Find the target policy and click Actions in the Modify Protection Rule column.

  Important

  After you modify a policy template, the changes are applied to all protected assets linked to the template. Proceed with caution.

• Delete an IP-specific mitigation policy template: On the Mitigation Settings page, select IP-specific Mitigation Policy. Find the target policy and click Actions in the Delete column.

  Important

  You cannot delete a policy template that is linked to a protected asset. To delete the template, you must first unlink it from all protected assets.

• Add or remove a protected asset for a policy template: On the Mitigation Settings page, select IP-specific Mitigation Policy. Find the target policy and click Actions in the Add Object for Protection column.

Configuration example

For a regular Alibaba Cloud service, you can configure an IP-specific mitigation policy based on service characteristics to defend against volumetric attacks at the network and transport layers.