When your service is added to an Anti-DDoS Proxy instance, the instance automatically applies a global mitigation policy. This policy filters attack traffic based on rules built from real-world attack-and-defense data, and activates the moment your instance's IP address comes under attack. By selecting the right policy level, you control the trade-off between protection strength and the risk of false positives.
How it works
The anti-DDoS engine accumulates mitigation rules from large volumes of real-world attack events. When a volumetric attack with known characteristics targets your instance's IP address, the global mitigation policy intercepts the traffic before it reaches your origin server.
The policy is instance-wide: every website, application service, and cross-region service node added to the same Anti-DDoS Proxy instance is protected by the same policy.
The global mitigation policy activates only when the IP address of the Anti-DDoS Proxy instance is under attack. It does not affect traffic during normal operation.
Choose a policy
All three built-in policies share a common base layer that filters clearly malicious traffic. The key variable is sensitivity: a stricter policy applies lower thresholds, which means more traffic is inspected and intercepted — but the risk of false positives increases.
Base capabilities (all policies)
Every policy blocks the following:
Malformed packets that do not conform to protocol specifications
TCP, UDP, and ICMP packets with clear attack characteristics
Fragmented packets and packets not transmitted over TCP, UDP, or ICMP
Traffic that does not conform to the protocol of the forwarding port
What each policy adds
| Policy | Additional capabilities | Best for |
|---|---|---|
| Loose | Base capabilities only | Services experiencing false positives under Normal. Base-layer filtering still protects against traffic with clear attack signatures. |
| Normal (default) | Base + verifies some source IPs with abnormal requests and applies rate limiting; verifies UDP packets and applies limits based on results | Most services — balances protection and availability |
| Strict | Base + strictly verifies some source IPs and applies rate limiting; strictly verifies UDP packets and applies limits based on results | Services where attack traffic is bypassing Normal and reaching the origin server |
When to switch policies
Normal to Loose: Switch if legitimate users are being blocked (false positives). The base-layer filtering remains active, so traffic with clear attack signatures is still intercepted — but more complex attack patterns may pass through to your origin server.
Normal to Strict: Switch if attack traffic is still reaching your origin server under Normal. Strict applies stricter IP and UDP verification, which reduces bypass risk but may occasionally block legitimate traffic.
If the built-in policies do not meet your requirements, contact your account manager to create a custom global mitigation policy.
Prerequisites
Before you begin, ensure that you have:
A website service or non-website service added to Anti-DDoS Proxy. See Add websites or Manage forwarding rules
Configure the global mitigation policy
Log on to the Anti-DDoS Proxy console.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Infrastructure tab, go to the Anti-DDoS Global Mitigation Policy section.
From the Mitigation Policy drop-down list, select Loose, Normal, or Strict.