To protect an Elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled against TCP connection resource exhaustion attacks—non-website application-layer flood attacks—you can configure a port-specific mitigation policy. This policy enables fine-grained monitoring and filtering of application-layer traffic to allow or drop service traffic that contains specific features. This topic describes how to configure a port-specific mitigation policy.
Notes
Regular Alibaba Cloud services support only IP-specific mitigation policies. EIPs with Anti-DDoS (Enhanced) enabled support both IP-specific and port-specific mitigation policies. If both are configured for an EIP, the IP-specific mitigation policy takes precedence.
You can attach only one port-specific mitigation policy to each port.
This feature is in public preview. To enable it, contact your account manager.
Scope
This feature applies to ports of an EIP with Anti-DDoS (Enhanced) enabled that you have added as a protected object. For more information, see Protected objects.
Procedure
Log on to the Traffic Security console.
In the left-side navigation pane, choose .
Click Create Policy. Enter a Policy Name, set Policy Type to Port-specific Mitigation Policy, and then click OK.
In the The policy is created. dialog box, click OK. You are redirected to the Create Rule page.
On the Create Rule page, click Create Rule. Configure mitigation rules for the policy template, and then click Next.
Rule Name: Enter a custom name for the rule. You can add up to 10 mitigation rules to each policy template.
Match Conditions: Click Add Condition to configure match conditions for the policy.
NoteYou can add up to 10 conditions.
Rule Type: Select String or Hexadecimal.
Match Range: Valid values for the start position and end position: 0 to 1499. The start position must be less than or equal to the end position..
Logical Operator: Only Yes and No are supported.
Term to Match:
If Rule Type is set to String: The match content can be up to 1500 characters long. The value of (End Position − Start Position + 1) must be greater than or equal to the length of the match content.
If Rule Type is set to Hexadecimal: The match content must consist of hexadecimal characters. The string can be up to 3000 characters long and must contain an even number of characters. The value of (End Position − Start Position + 1) must be greater than or equal to (Length of Match Content ÷ 2).
Action:
Monitor: Records hits but does not block requests.
Block: Drops the current request.
In the Protected Assets list, in the Objects to Select area, select a Protected Instance.
After you select the Asset IP Address to protect, select the specific ports to protect in the Port/Protocol area.
Click Add.
Related operations
Modify a port-specific mitigation policy template: In the upper-left corner of the Mitigation Settings page, select Port-specific Mitigation Policy from the drop-down list. Find the policy that you want to modify and click Modify Mitigation Policy in the Actions column.
ImportantAfter you modify a policy template, the protected objects associated with it will use the modified policy. Proceed with caution.
Delete a port-specific mitigation policy template: On the Mitigation Settings page, select Port-specific Mitigation Policy. Find the policy that you want to delete and click Delete in the Actions column.
ImportantYou cannot delete a policy template that is associated with protected objects. To delete the template, first remove its association with the protected objects.
Add protected objects to or remove them from a policy template: On the Mitigation Settings page, select Port-specific Mitigation Policy. Find the target policy and click Add Object for Protection in the Actions column to add or remove protected objects from the policy template.