The intelligent protection feature is automatically enabled for website services that are added to Anti-DDoS Pro or Anti-DDoS Premium. The intelligent protection feature automatically learns traffic patterns to detect and block new types of HTTP flood attacks. This topic describes how to use the intelligent protection feature.
What is intelligent protection?
Anti-DDoS Pro and Anti-DDoS Premium provide the intelligent protection feature based on traditional attack mitigation methods for various business forms and ever-changing attack scenarios. The intelligent protection feature is developed based on the big data technologies of Alibaba Cloud. The feature automatically learns traffic patterns and uses algorithms to analyze attacks. Then, the feature applies accurate access control rules to adjust protection modes and to detect and block attacks at the earliest opportunity. The attacks include web attacks, such as bots and HTTP flood attacks.
Supported modes and levels
The intelligent protection feature supports the following modes and levels: After a website service is added to Anti-DDoS Pro or Anti-DDoS Premium, the intelligent protection feature is automatically enabled. The default mode is Protection and the default level is Normal.
Mode
Warning: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, attacks are recorded but the requests are not blocked. You can use this mode to learn how the feature safeguards your website. You can use this mode and the log analysis feature to query warnings recorded by the feature and verify the protection capabilities of the feature. For more information, see View attack warning logs.
Protection: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, accurate access control rules are applied to block the malicious requests.
NoteWe recommend that you use the Warning mode and the log analysis feature to analyze the attack logs. For this policy to take effect, enable the Protection mode only when the feature works as expected.
Level
Level
Effect
Scenario
Loose
Blocks specific attacks and allows normal requests.
Large websites that have high processing capabilities, and specific scenarios such as sales promotions
Normal (recommended)
Does not process requests in most cases. When traffic that poses a threat to the protected website is detected, Anti-DDoS Pro or Anti-DDoS Premium protects the website and minimizes negative impacts on the website.
Scenarios in which the number of requests does not greatly fluctuate and servers have additional resources other than managing normal network traffic
Strict
Strictly and intelligently blocks attacks. However, normal requests may also be blocked.
Websites that do not have sufficient processing or protection capabilities
Prerequisites
A website service is added to Anti-DDoS Proxy. For more information, see Add websites.
Change the mode or level of intelligent protection
In specific business scenarios, we recommend that you change the mode or level of the intelligent protection feature. This allows the feature learn traffic patterns to prevent false positives.
Scenario: Before you add your website to Anti-DDoS Pro or Anti-DDoS Premium, regular rate limiting policies are configured for the origin server of your website, or a large number of clients frequently reconnect to your website at the same time. Even if your website service runs as expected, the origin server returns a large number of 4XX or 5XX HTTP status codes.
Solution:
On the Protection for Website Services tab, click Settings in the Intelligent Protection section.
In the Intelligent Protection dialog box, set Mode to Warning.
After three days, set Mode to Protection.
If you want to launch a promotion event or stress test on your website, but the origin server of the website returns a large number of 4XX or 5XX HTTP status codes, we recommend that you create a custom policy. For more information, see Create custom scenario policies.
View intelligent protection rules
After you enable the feature, Anti-DDoS Pro or Anti-DDoS Premium automatically generates rules when attacks are detected. The names of the rules start with smartcc_ and the rules have validity periods. Compared with custom accurate access control rules, intelligent protection rules have the following characteristics:
The action of a rule may be warning. In Warning mode, the action specified in a rule is warning. In this case, Anti-DDoS Pro or Anti-DDoS Premium records attacks but does not block attacks.
Each rule has a validity period. After a rule expires, the rule becomes invalid and is automatically deleted.
Rules cannot be manually deleted. If you disable the feature, rules are immediately deleted.
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose .
On the General Policies page, click the Protection for Website Services tab. Select the domain name that you want to manage from the list in the left side.
In the HTTP Flood Mitigation section, click Settings to view the rules whose names start with
smartcc_.
View attack warning logs
After you enable the feature for your website, the log analysis feature records detected attacks that trigger the accurate access control rules. You can query the attack warning logs that are associated with the accurate access control rules on the Log Analysis page. This allows you to check the performance levels of the feature.
The log analysis feature is enabled for your website. For more information, see Use the log analysis feature.
Log on to the Anti-DDoS Pro console. Choose . On the page that appears, select a domain name and enter the following query statement to view the attack warning logs related to the intelligent protection feature:
Replace aliyundoc.com with the actual domain name of your website.
matched_host:"aliyundoc.com" and cc_action:alarm