The location blacklist feature blocks traffic from specific geographic regions at scrubbing centers before it reaches your origin servers. Use it to stop connection flood attacks originating from regions where you have no legitimate users.
How it works
When you configure the location blacklist for an Anti-DDoS Proxy instance, all traffic from the specified regions is dropped at scrubbing centers. The feature identifies traffic by the source IP address location — it does not reduce incoming attack bandwidth, but it stops connection flood attacks by discarding requests before they exhaust your connection pool.
Choosing between location blacklist features
Anti-DDoS Proxy provides two location-based blocking features:
| Feature | Scope | Typical use |
|---|---|---|
| Location blacklist | All services on an Anti-DDoS Proxy instance | Port services (Layer 4) |
| Location blacklist (domain names) | Specific domain names only | Website services (Layer 7) |
When both features are active, the location blacklist takes higher priority. For example, if the location blacklist blocks all regions outside the Chinese mainland, users from those regions cannot access associated domain names — even if the location blacklist (domain names) feature allows it.
The location blacklist blocks traffic at scrubbing centers (near the destination). To discard attack traffic upstream using Internet Service Provider (ISP) core routers, use the near-origin traffic diversion feature instead. That feature is available only for Anti-DDoS Proxy (Chinese Mainland).
Use cases
Geographically isolated services: If all your users are in the Chinese mainland, block all regions outside the Chinese mainland to eliminate unsolicited connection attempts from overseas.
Location blacklist configurations are permanently valid — there is no automatic expiration.
Limitations
Configure the location blacklist for each Anti-DDoS Proxy instance individually. Batch configuration across multiple instances is not supported.
Prerequisites
Before you begin, ensure that you have:
Configure the location blacklist
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region that matches your instance:
Chinese Mainland for Anti-DDoS Proxy (Chinese Mainland) instances
Outside Chinese Mainland for Anti-DDoS Proxy (Outside Chinese Mainland) instances
In the left navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Infrastructure tab, select the instance from the list on the left.
Search by instance ID or description to find your instance quickly.
In the Location Blacklist section, click Settings.
In the Configure Location Blacklist panel, select the regions to block and click OK.
In the Location Blacklist section, turn on Status to activate the configuration.
Related topics
To block specific regions for individual domain names instead of all instance services, see Configure the location blacklist (domain names) feature.
For questions about blocking specific countries versus all overseas regions, see FAQ.