Global mitigation policy for website services in Anti-DDoS - Anti-DDoS

The global mitigation policy applies Anti-DDoS Proxy's built-in ruleset — accumulated from real-world attack and defense experience — to automatically block malicious web traffic for your protected domains.

How it works

When you configure a forwarding rule for a domain name, Anti-DDoS Proxy automatically enables the global mitigation policy in Normal mode. The policy evaluates every incoming HTTP request against a set of mitigation rules and takes one of three actions: Monitor (log and allow), JavaScript Challenge (verify the source IP), or Block.

The policy supports three modes that control which rules are active. Each mode represents a different trade-off between protection strength and the risk of blocking legitimate traffic.

Usage notes

Websites added to Anti-DDoS Proxy after November 24, 2021 have the global mitigation policy in Normal mode enabled automatically.
Websites added before November 24, 2021 have the policy disabled by default. Enable it manually for those domains.

Prerequisites

Before you begin, make sure that:

A website service is added to Anti-DDoS Proxy. For more information, see Add websites.

Modes

Mode	Protection level	Best for
Loose	Blocks only specific known attacks; allows all other traffic	Large websites with strong processing capabilities; time-sensitive events such as promotional campaigns
Normal (recommended)	Blocks attacks disclosed on the Internet that have not appeared in your historical traffic; low false-positive risk	Stable workloads with consistent request volumes and predictable user sources
Strict	Aggressively blocks attacks; may also block some legitimate requests	Websites with limited processing capacity that need maximum scrubbing strength

Important

Before switching to Strict mode, contact Alibaba Cloud technical support to assess the potential impact on your website.

Mitigation rules

Anti-DDoS Proxy categorizes its mitigation rules into six types. The active rules depend on the mode you select.

Rule type	What it detects
Invalid Request	HTTP headers malformed due to encoding errors
Simulated Browser Request	HTTP requests mimicking browser behavior; typically triggers a JavaScript Challenge
Simulated Crawler Request	HTTP requests mimicking crawler behavior
Attack Tool Request	Requests from known attack tools
High-frequency Attack Request	High-rate HTTP request floods
Attack Request	Requests matching attack signatures from Alibaba Cloud threat intelligence

Each rule has a default action (Monitor, JavaScript Challenge, or Block), and you can override the action on a per-rule basis without changing the mode.

Rule support by mode

In the following table, ✓ indicates that a mode activates the rule, and × indicates that it does not.

Rule type	Rule ID	Description	Default action	Loose	Normal	Strict
Invalid Request	global_01	The HTTP request header Accept is invalid.#1	Block	✓	✓	✓
Invalid Request	global_02	The HTTP request header Accept-Language is invalid.#1	Block	✓	✓	✓
Invalid Request	global_0_1	The HTTP request header Accept-Encoding is invalid.#1	Block	×	✓	✓
Invalid Request	global_15	The HTTP request header Accept is invalid.#2	Block	✓	✓	✓
Invalid Request	global_ge_05f8a760096d29cee462a63ab418e5c3_B_t	The HTTP request header Accept is invalid.#3	Block	✓	✓	✓
Invalid Request	global_ge_0_B_t	The HTTP request header Accept-Encoding is invalid.#2	Block	×	✓	✓
Invalid Request	global_ge_0d4dbd8080c85462ea5395d1d8251da8_B_t	The HTTP request header Referer is invalid.#1	Block	×	✓	✓
Invalid Request	global_ge_0e2130d0b87abe84bd74735ec4586ab1_B_t	The HTTP request header Accept is invalid.#4	Block	✓	✓	✓
Invalid Request	global_ge_1_B_t	The HTTP request header Accept-Language is invalid.#2	Block	×	✓	✓
Invalid Request	global_ge_2cfc5256bf5be8892b9356d8db40d0e3_B_t	The HTTP request header Cache-Control is invalid.#1	Block	✓	✓	✓
Invalid Request	global_ge_aba03cde2fc06dd322ad0a1a46bc47d8_B_t	The HTTP request header Connection is invalid.#1	Block	✓	✓	✓
Invalid Request	global_online_03	The HTTP request header Referer is invalid.#2	Block	✓	✓	✓
Invalid Request	global_spv_3adcd517f14ef4295dbcb65f2b544621_B_t	The HTTP request header Accept-Language is invalid.#3	Block	×	✓	✓
Invalid Request	global_spv_a69fdbd25ac2da2984809fdc051e9d4e_B_t	The HTTP request header User-Agent is invalid.#1	Block	×	×	✓
Simulated Browser Request	global_03	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#1	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_2_3	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#2	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_2_4	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#3	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_r_1_C	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#4	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_r_2_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#5	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_00922977ecc39f015bdd94e54e3f08c8_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#6	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_10_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#7	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_1db36a86783775fb36ff65e9a9471293_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#8	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_4_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#9	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_5_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#10	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_6_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#11	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_7_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#12	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_8_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#13	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_9_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#14	JavaScript Challenge	×	✓	×
Simulated Browser Request	global_th_a256dec6c80b7c953a9d5cf21b193e93_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires strong verification based on a combination of request headers.#1	JavaScript Challenge	×	×	✓
Simulated Browser Request	global_th_e353aae960559269a5146aca41060c60_C_t	The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#15	JavaScript Challenge	×	✓	×
Simulated Crawler Request	global_d_6587d6a0e3adb13d4949cdb59a3167c3_B_t	The request is a simulated HTTP request designed to mimic a Google Chrome crawler-initiated request.#1	Block	×	×	✓
Simulated Crawler Request	global_d_97a08ec7a4a0d131194c4fd40802dd98_B_t	The request is a simulated HTTP request designed to mimic a Baidu crawler-initiated request.#1	Block	×	×	✓
Simulated Crawler Request	global_d_d51505ef3de38efe92bff2163a3b4d38_B_t	The request is a simulated HTTP request designed to mimic a Google Chrome crawler-initiated request.#2	Block	×	×	✓
Attack Tool Request	global_d_0ac87637e9fccf60e9afbe18ad6af1d9_C_t	The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#1	JavaScript Challenge	×	✓	×
Attack Tool Request	global_d_0d0fc1037e2239562d31473e11d40909_B_t	The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#1	Block	×	✓	✓
Attack Tool Request	global_d_436c6492dbef6f8d43eec0c3caa86652_C_t	The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#2	JavaScript Challenge	×	✓	✓
Attack Tool Request	global_d_52d72f8b80d5877e10763d451cc05479_C_t	The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#3	JavaScript Challenge	×	✓	✓
Attack Tool Request	global_d_5e65a8ca4a9ea2339f24d93c7b2fa819_C_t	The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#4	JavaScript Challenge	×	✓	✓
Attack Tool Request	global_d_5fdc132caf63121890cb733ad4c2463e_B_t	The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#2	Block	×	✓	✓
Attack Tool Request	global_d_658fef4f5d139461f7135b89f5d9dd6d_C_t	The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#5	JavaScript Challenge	×	✓	✓
Attack Tool Request	global_d_839574bd00cc6f9f2a256a599829db04_B_t	The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#3	Block	×	✓	✓
Attack Tool Request	global_d_8917da6c5c8a6aba6ab9156cc9f89d35_B_t	The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#4	Block	×	✓	✓
Attack Tool Request	global_d_adc8a089ad050bd9e2ed1aed2b991526_C_t	The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#6	JavaScript Challenge	×	✓	✓
Attack Tool Request	global_d_bec67b0fe8d26adb09f375c67e355a88_C_t	The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#7	JavaScript Challenge	×	✓	×
Attack Tool Request	global_d_c660088d7e2385d949fbf594461b06ac_B_t	The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#5	Block	×	✓	✓
Attack Tool Request	global_d_dc71e4b0d53ef00f0631b0db72e95fb7_B_t	The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#6	Block	×	✓	✓
Attack Tool Request	global_d_fc1c525466aaf12d4580ad03763daaf4_B_t	The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#7	Block	×	✓	✓
Attack Tool Request	global_spv_2bdf9b3b14f1277aaccc38ae2b2e8a23_B_t	The HTTP request header Referer has the characteristics of requests initiated by known attack tools.#1	Block	×	✓	✓
Attack Tool Request	global_spv_507e041146fa3a0d8abc61b0bb0ba1bf_B_t	The HTTP request header Referer has the characteristics of requests initiated by known attack tools.#2	Block	×	✓	✓
Attack Tool Request	global_spv_b980df6086a5b9bded374883531ceb9a_B_t	The HTTP request header Referer has the characteristics of requests initiated by known attack tools.#3	Block	×	✓	✓
High-frequency Attack Request	global_cc_1321b42f0967324a4581f7df931b4b64_C_t	High-frequency HTTP requests are initiated to attack a homepage.#1	JavaScript Challenge	×	×	✓
High-frequency Attack Request	global_cc_3ed2a1a3801ce62eee67a1804dc2682a_C_t	High-frequency HTTP attack requests are initiated by traversing request headers.#1	JavaScript Challenge	×	×	✓
High-frequency Attack Request	global_cc_5d4f4eacd0d2e37f0a82ab247bcdcc50_C_t	High-frequency HTTP attack requests are initiated by using special User-Agent headers.#1	JavaScript Challenge	×	✓	✓
High-frequency Attack Request	global_cc_958593f854099089cdec7638c11116f4_C_t	High-frequency HTTP attack requests are initiated by traversing URIs.#1	JavaScript Challenge	×	×	✓
High-frequency Attack Request	global_cc_c5d86db096688b00f8ad8cb4c3a3d363_C_t	High-frequency HTTP attack requests are initiated by traversing request headers.#2	JavaScript Challenge	×	✓	✓
Attack Request	global_1_1	The HTTP request header Ping-To indicates a malicious source.#1	Block	×	✓	✓
Attack Request	global_1_3	The HTTP request header Referer has attack characteristics.#1	Block	×	✓	✓
Attack Request	global_1_4	The HTTP request header Accept has attack characteristics.#1	Block	×	✓	×
Attack Request	global_d_0226f8975a3bb985c7c069fff282bbdc_B_t	The HTTP request header User-Agent has attack characteristics.#1	Block	✓	✓	×
Attack Request	global_d_34f692ae6798abe9fc822912cfcd4cc5_B_t	The HTTP request header User-Agent has attack characteristics.#2	Block	×	×	✓
Attack Request	global_d_c310e8097811299b9f3d968fe771ebc9_B_t	The HTTP request header User-Agent has attack characteristics.#3	Block	×	✓	✓
Attack Request	global_ge_e397de51d53a70ad1ef6daaf332de446_B_t	The HTTP request header Accept-Language has attack characteristics.#1	Block	✓	✓	✓
Attack Request	global_hm_9c0017d9c9b1aa12ea2df4503d8fae29_B_t	The HTTP request method has attack characteristics.#1	Block	×	✓	✓
Attack Request	global_hm_c1db5bd6d4f9da9739224ca848b60e62_B_t	The HTTP request method has attack characteristics.#2	Block	×	✓	✓
Attack Request	global_online_01	The HTTP request header User-Agent has attack characteristics.#4	Block	✓	✓	✓
Attack Request	global_online_02	The HTTP request header Accept-Language has attack characteristics.#2	Block	×	✓	✓
Attack Request	global_spv_0_B_t	The HTTP request header Accept-Language has attack characteristics.#3	Block	×	✓	✓
Attack Request	global_spv_1926afcce4ce00198eca856aaaf6fe38_B_t	The HTTP request header User-Agent has attack characteristics.#5	Block	×	✓	✓
Attack Request	global_spv_1_B_t	The HTTP request URI has attack characteristics.#1	Block	×	✓	✓
Attack Request	global_spv_2_B_t	The HTTP request header Referer has attack characteristics.#2	Block	×	✓	✓
Attack Request	global_spv_4957fd08aa78f6e640f2364b087cd117_B_t	The HTTP request header User-Agent has attack characteristics.#6	Block	×	×	✓
Attack Request	global_spv_4e580d90c3df0d19e71fb6947caf5489_C_t	The HTTP request header Accept has attack characteristics.#2	JavaScript Challenge	×	✓	×

Respond to false positives

When a mitigation rule blocks legitimate traffic, you need to decide whether to change the mode or adjust a specific rule.

Step 1: Identify whether to change the mode or a rule

Change the mode when the problem is broad in scope:

Multiple user actions — such as logins, uploads, and downloads — are being blocked frequently.
Your service has undergone major changes, such as new external interfaces or a redesigned network architecture, and the current mode no longer fits your traffic profile.
Simulating your production traffic against the current mode blocks a large proportion of requests.

Change only the affected rule when the problem is isolated:

False positives occur only for a specific type of client access or a specific page (such as your homepage).
Your service is otherwise stable and only one feature intermittently fails.
Simulated traffic triggers only a single rule.

For example, rule global_cc_1321b42f0967324a4581f7df931b4b64_C_t targets high-frequency homepage requests. It may generate false positives in two scenarios:

Promotional events — A large number of users may frequently refresh the homepage within 1 minute after the event starts.
Post-fix validation — An administrator using automated tools to repeatedly hit the homepage to verify loading speed and link availability after resolving a technical issue.

In both cases, disabling the rule or changing its action to Monitor is the right fix — not switching modes.

Step 2: Find the rule causing false positives

Use either of the following methods to identify the specific rule.

Attack analysis reports

Go to the Attack Analysis page.
Find the web resource exhaustion attack entry and click View Details.
In the Top 10 Hit Policies section, check the effective mitigation rule.

Logs

Go to the Log Analysis page.
Enter last_owner in the search box. Rules whose IDs start with global are global mitigation rules.

Step 3: Change the mode or a mitigation rule

Log on to the General Policies page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
Click the Protection for Website Services tab, then select the domain name you want to manage from the list on the left.
In the Anti-DDoS Global Mitigation Policy section, do one of the following:
- To change the mode, select Loose, Normal, or Strict directly.
- To adjust individual rules without changing the mode, click Settings and modify the action for the specific rule.