All Products
Search

This Product

    Anti-DDoS:Configure a DDoS mitigation policy

    Document Center

    Anti-DDoS:Configure a DDoS mitigation policy

    Last Updated:Jun 03, 2026

    Anti-DDoS Proxy provides DDoS mitigation policies for non-website services to defend against Layer 4 connection-oriented DDoS attacks. Policies are configured per IP and port for port forwarding rules. Set request rate limits, packet length restrictions, and other parameters to match your traffic patterns.

    Feature overview

    A DDoS mitigation policy supports the following features:

    Feature

    Description

    Restrictions

    False Source

    Blocks DDoS attacks from forged IP addresses.

    TCP port forwarding rules only.

    Advanced Attack Mitigation

    Detects and mitigates DDoS attacks that send large volumes of abnormal packets after a TCP three-way handshake, typically from botnets such as Mirai.

    TCP port forwarding rules only. Requires False Source to be enabled. Only Anti-DDoS Proxy instances that use IPv4 addresses can configure this feature. IPv6 instances cannot.

    Session Feature Filtering

    Filters attack traffic by analyzing packet payloads. Supports application-layer access control rules.

    Only Anti-DDoS Proxy (Chinese Mainland) instances of the Enhanced function plan that use IPv4 addresses can configure this feature.

    Whitelist

    Allows whitelisted IP addresses to bypass interception on a per-port basis.

    None.

    Rate Limit for Source

    Limits data transfer rate per source IP on a per-port basis. Supports blacklisting IPs that repeatedly exceed limits.

    None.

    Speed Limit for Destination

    Limits data transfer rate per instance port.

    None.

    Packet Length Limit

    Specifies the minimum and maximum packet payload lengths. Packets with invalid lengths are discarded.

    None.

    Before you begin

    A non-website service is added to Anti-DDoS Proxy. For more information, see Manage forwarding rules.

    Configure a policy for a single rule

    1. Log on to the General Policies page in the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. On the General Policies page, click the Protection for Non-website Services tab and select the Anti-DDoS Proxy instance to manage.

    4. In the list on the left, click the forwarding rule to configure.

      1. Configure the protection features in the following sections.

        False Source

        Enable False Source to block requests from forged IP addresses. This feature applies only to TCP port forwarding rules.

        Parameter

        Description

        False Source

        Turn on to block requests from forged IP addresses. When False Source is disabled, Empty Connection and Advanced Attack Mitigation are also disabled.

        Empty Connection

        Turn on to block requests that attempt to establish null sessions. False Source must be enabled first.

        Advanced Attack Mitigation

        This feature applies only to TCP port forwarding rules. False Source must be enabled first. The default protection mode is Normal.

        Protection mode

        Effect

        Recommended scenario

        Loose

        Blocks traffic with obvious attack characteristics. Some attacks may pass through, but false positives are rare.

        One-way data transmission (live streaming, media downloads) or services requiring high origin bandwidth.

        Normal (recommended)

        Balances protection and low false positive rates for most workloads.

        Most scenarios.

        Strict

        Enforces strict attack verification. May cause false positives.

        Origin server has limited bandwidth or protection is insufficient.

        Session Feature Filtering

        Configure access control rules based on packet payloads. When a rule has multiple conditions, all must match to trigger the action.

        Note

        AI-powered intelligent access control rules are also displayed in this section.

        Parameter

        Description

        Rule Name

        Name the rule.

        Match Conditions

        Define the packet payload format. Select String or Hexadecimal.

        Match Range

        Start and end byte positions for payload matching. Range: 0–1499. Start must not exceed end.

        Logical Operator

        Select Include or Not Include.

        Field Value

        For String: content length must not exceed 1500 bytes and must fall within the start and end positions. For Hexadecimal: content must consist of hexadecimal characters, must not exceed 3000 characters, must be an even number of characters, and must fall within the specified range.

        Action

        Monitor: permits the matching request. Block: rejects the matching request. Block and Add to Blacklist: rejects the request and adds the source IP to the blacklist. Blacklist duration: 300 to 600 seconds.

        Whitelist

        Add IP addresses or CIDR blocks to the whitelist to bypass interception. Maximum: 2,000 entries per whitelist.

        Restrictions:

        • Anti-DDoS Proxy instances support both IPv4 and IPv6 addresses.

        • IPv4 CIDR blocks: /8 to /32. IPv6 CIDR blocks: /32 to /128.

        • IPv4 addresses cannot be 0.0.0.0 or 255.255.255.255. IPv6 addresses cannot be :: or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

        Rate Limit for Source

        Limits data transfer rate per source IP. When a source IP exceeds the limit, excess traffic from that IP is dropped. Other source IPs are not affected.

        • Parameter

          Note

          Actual new connection limits may vary slightly due to cluster-based scrubbing center deployment.

          Parameter

          Valid values

          Description

          New Connections Limit for Source

          1 to 50,000

          Maximum new connections per second from a single IP. Select Automatic (calculated dynamically) or Manual (set manually).

          Concurrent Connections Limit for Source

          1 to 50,000

          Maximum concurrent connections from a single IP. Excess connections are dropped.

          PPS Limit for Source

          1 to 100,000

          Maximum packets per second from a single IP. Excess packets are dropped.

          Bandwidth Limit for Source

          1,024 to 268,435,456 bytes/s

          Maximum bandwidth from a single IP.

        • Blacklist settings

          Each rate limit supports blacklist settings:

          • Select the If the bandwidth of connections from a source exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. All requests from blacklisted IPs are dropped.

          • Configure the Blacklist Validity Period to set how long the IP stays blacklisted. Valid values: 1–10,080 minutes. Default: 30 minutes. The IP is removed automatically when the period ends.

      Speed Limit for Destination

      Limits data transfer rate per instance port. When a port exceeds the limit, excess traffic is dropped. Other ports are not affected.

      Default values differ between TCP and UDP port forwarding rules.

      Note

      For both TCP and UDP rules, actual new connection limits may vary slightly due to cluster-based scrubbing center deployment.

      TCP port forwarding rules

      Parameter

      Valid values

      Default

      Can be disabled?

      Concurrent Connections Limit for Destination

      100 to 100,000

      100,000 (enabled by default)

      No. Disabling resets the value to 100,000.

      New Connections Limit for Destination

      1,000 to 2,000,000

      2,000,000 (enabled by default)

      No. Disabling resets the value to 2,000,000.

      UDP port forwarding rules

      Parameter

      Valid values

      Default

      Can be disabled?

      Concurrent Connections Limit for Destination

      100 to 50,000

      Disabled by default

      Yes

      New Connections Limit for Destination

      1,000 to 200,000

      200,000 (enabled by default)

      No. Disabling resets the value to 200,000.

      Packet Length Limit

      In the Packet Length Limit section, click Settings. Set the minimum and maximum payload lengths and click OK. Valid range: 0–1,500 bytes.

    Configure policies in batches

    Apply a DDoS mitigation policy to multiple port forwarding rules at once.

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. In the left-side navigation pane, choose Onboarding > Port Config.

    4. On the Port Config page, select the instance to manage and choose Batch Operations > Create Mitigation Policy below the rule list.

    5. In the Create Mitigation Policy dialog box, enter the policy in the required format and click OK.

      • Enter one policy per row, one per forwarding rule.

      • The forwarding port must match an existing forwarding rule.

      • Fields are space-separated, in the following order:

        Position

        Field

        Valid values

        1

        Forwarding port

        Port number from an existing forwarding rule

        2

        Forwarding protocol

        tcp or udp

        3

        New connections limit for source

        Numeric value

        4

        Concurrent connections limit for source

        Numeric value

        5

        New connections limit for destination

        Numeric value

        6

        Concurrent connections limit for destination

        Numeric value

        7

        Minimum packet length

        Numeric value

        8

        Maximum packet length

        Numeric value

        9

        False source

        on or off

        10

        Empty connection

        on or off
    Note

    Export existing DDoS mitigation policies to a TXT file, modify the content, and paste it back into the dialog box. The exported format must match the required format. For more information, see Export multiple port configurations at a time.