Intelligent protection is automatically enabled when you add a website to Anti-DDoS Pro or Anti-DDoS Premium. It analyzes traffic patterns and applies access control rules to detect and block HTTP flood attacks and bot traffic — without manual rule authoring. This topic describes how to configure the mode and level, view generated rules, and verify protection accuracy using attack warning logs.
How it works
Intelligent protection uses Alibaba Cloud big data technologies to build a baseline of your website's normal traffic. When incoming traffic deviates from that baseline, the feature generates access control rules prefixed with smartcc_ and applies them automatically.
Key behaviors of generated rules:
Validity period: Each rule has a validity period. After a rule expires, the rule becomes invalid and is automatically deleted. Rules cannot be manually deleted — disable the feature to remove all rules immediately.
Warning mode action: In Warning mode, the rule action is
alarm. Traffic is logged but not blocked.Protection mode action: In Protection mode, accurate access control rules block malicious requests.
The feature requires time to establish a traffic baseline before generating accurate rules. For planned events such as promotions or load tests that may cause atypical traffic patterns, complete your baseline period before the event begins.
Modes and levels
Modes
| Mode | Behavior | When to use |
|---|---|---|
| Warning | Records malicious requests without blocking them | Before switching to Protection mode; during stress tests or promotions |
| Protection | Blocks malicious requests using generated access control rules | Production traffic, after verifying the feature works as expected |
The default mode is Protection.
In Warning mode, generated rules have an alarm action — traffic is logged but not blocked. Use the log analysis feature to review flagged requests before switching to Protection mode.Levels
| Level | Effect | Best for |
|---|---|---|
| Loose | Blocks specific attacks; allows normal requests | Large, high-throughput websites; sales promotions |
| Normal (recommended) | Balanced detection — protects when a threat is detected while minimizing impact on legitimate traffic | Stable traffic with predictable request patterns |
| Strict | Aggressively blocks attacks; may affect some legitimate requests | Sites with limited processing capacity or under sustained attack |
The default level is Normal.
Prerequisites
Before you begin, ensure that you have:
A website service added to Anti-DDoS Pro or Anti-DDoS Premium (see Add websites)
Adjust the mode or level
Change the mode or level when your origin server generates elevated 4XX or 5XX responses that could trigger false positives — for example, when rate limiting is configured on the origin, or when many clients reconnect simultaneously.
In the Anti-DDoS Proxy console, select the region of your instance from the top navigation bar:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Website Services tab, select the domain name you want to manage.
In the Intelligent Protection section, click Settings.
In the Intelligent Protection dialog box, set Mode to Warning.
After three days, return to the Intelligent Protection dialog box and set Mode to Protection.
For promotion events or stress tests, create a custom scenario policy instead of switching modes globally. See Create custom scenario policies.
View intelligent protection rules
After the feature generates rules, view them in the HTTP Flood Mitigation section.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Website Services tab, select the domain name you want to manage.
In the HTTP Flood Mitigation section, click Settings. Rules with names starting with
smartcc_are intelligent protection rules.
View attack warning logs
When the feature runs in Warning mode, detected attacks are logged without being blocked. Query these logs to evaluate whether the feature is accurately identifying threats before you switch to Protection mode.
The log analysis feature must be enabled for your website. See Use the log analysis feature.
Log on to the Anti-DDoS Pro console.
Choose Investigation > Log Analysis.
Select your domain name, then enter the following query statement:
matched_host:"aliyundoc.com" and cc_action:alarmReplace
aliyundoc.comwith your actual domain name.
The results list all requests flagged by intelligent protection rules. Review these logs to confirm the feature is not generating false positives before enabling Protection mode.
What's next
Create custom scenario policies — handle promotions and stress tests with targeted policies instead of changing the global protection mode.
Use the log analysis feature — query detailed attack and access logs to assess protection effectiveness.