Anti-DDoS:Add an object for protection

Prerequisites

• An Anti-DDoS Origin Enterprise instance or an elastic IP address (EIP) that has Anti-DDoS (Enhanced) enabled is purchased. For more information, see Purchase an Anti-DDoS Origin Enterprise instance or Best practices for purchasing and using EIPs integrated with Anti-DDoS Pro/Premium.
• An asset that is assigned a public IP address is purchased. The asset can be an Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, EIP that is associated with a NAT gateway, simple application server, Web Application Firewall (WAF) instance, or virtual private cloud (VPC).

Procedure

Step 1: Add an object for protection

The following sections describe the methods to add an object to the Anti-DDoS Origin Enterprise instance for protection.

Add an object on the Protected Asset IP page

1. Log on to the Traffic Security console.
2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
3. In the top navigation bar, select the resource group and region of your instance.
4. On the Protected Asset IP page, select the Anti-DDoS Origin Enterprise instance that you purchased and click Add Protected Asset.
5. If you use Anti-DDoS Origin Enterprise for the first time, you must follow the instructions that are provided on the page to complete the authorization for the assets within your Alibaba Cloud account.
6. In the Add Protected Asset dialog box, enter the public IP address of your asset that you want to protect and click OK.
   Note

   • You must enter the public IP address of an asset within your Alibaba Cloud account. The asset must be in the same region as the Anti-DDoS Origin Enterprise instance.
   • You must separate multiple public IP addresses with commas (,).

Add an object on the Manage Instances page

Step 2: (Optional) Attach a mitigation policy

After you add an object to the instance for protection, Anti-DDoS Origin Enterprise provides the default protection capability against DDoS attacks. You can also attach a mitigation policy to the public IP address or port of your asset to allow or deny service traffic that has specific characteristics based on your business requirements. This improves the effects of DDoS mitigation. For more information, see Use the mitigation settings feature (public preview).

Step 3: (Optional) View the mitigation policy

After you attach a mitigation policy to the public IP address or port of your asset, you can perform the following steps to view the mitigation policy.

1. Log on to the Traffic Security console.
2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
3. In the top navigation bar, select the resource group and region of your instance.
4. On the Protected Asset IP page, select the required instance or your EIP. Then, find the public IP address of your asset to view related mitigation settings.

   Parameter	Description
   IP	The public IP address that is protected by the instance or assigned to your EIP.
   Traffic Scrubbing Threshold	The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and packets per second (pps). For more information, see Configure a traffic scrubbing threshold.
   Asset Type	The type of the asset to which the public IP address belongs.
   Ports	The number of ports for which the port-specific mitigation policy is configured. You can click the icon to the left of the public IP address to view the details of the port-specific mitigation policy. Note You can configure port-specific mitigation policies only for EIPs that have Anti-DDoS (Enhanced) enabled.
   Status	The security status of the public IP address. Normal. Cleaning. You can cancel traffic scrubbing. For more information, see Cancel traffic cleaning. Blackholing. You can view the blackhole filtering events. For more information, see View the point in time when blackhole filtering is triggered for an asset and the reason why blackhole filtering is triggered. You can also manually deactivate blackhole filtering. For more information, see Manually deactivate blackhole filtering.
   Mitigation Policy	The mitigation policy that is attached to the public IP address or a port of the public IP address. You can click the mitigation policy to go to the Mitigation Setting page to view the details of the mitigation policy. Note If Default is displayed in the Mitigation Policy column, no mitigation policies are attached to the public IP address or a port of the public IP address. The default protection capability is used.
   Actions	If your asset is an EIP that has Anti-DDoS (Enhanced) enabled, you can perform the following operations: Add Port: Click Add Port to add a port of the public IP address to the port-specific mitigation policy. Deactivate Black Hole: Click Deactivate Black Hole to deactivate blackhole filtering. This operation is supported only when the public IP address of your asset is in the Blackholing state. View Applied Policy: Click View Applied Policy to view the details of the mitigation policy that is attached to the port. If your asset is not an EIP that has Anti-DDoS (Enhanced) enabled, you can perform the following operations: Delete: Click Delete to remove the mitigation policy that is attached to the public IP address of your asset. Deactivate Black Hole: Click Deactivate Black Hole to deactivate blackhole filtering. This operation is supported only when the public IP address of your asset is in the Blackholing state. View Applied Policy: Click View Applied Policy to view the details of the mitigation policy that is attached to the public IP address of your asset.

5. If your asset is an EIP that has Anti-DDoS (Enhanced) enabled, click the icon to the left of a public IP address that is assigned to your EIP to view the details of port-specific mitigation policies.

   Parameter	Description
   Port	The port that is added to a mitigation policy.
   Protocol	The protocol that is used by the port.
   Added At	The time when the port is added to the mitigation policy.
   Protection Status	The status of the mitigation policy for the port. Protection Disabled: The port is added to the mitigation policy, but the policy is not enabled for the port. You can click Enable Protection in the Actions column to enable the mitigation policy for the port. Protected
   Mitigation Policy	The mitigation policy that is attached to the port. You can click the name of the mitigation policy to go to the Mitigation Setting page. On this page, you can click Modify Protection Rule to modify the rules that belong to the policy or click Add Object for Protection to attach the policy to multiple ports.
   Actions	If Protected is displayed in the Protection Status column of the port, you can perform the following operations: Disable Protection: Click Disable Protection to disable the mitigation policy for the port. View Applied Policy: Click View Applied Policy to view the details of the mitigation policy. Note If you only add a port, but do not attach a port-specific mitigation policy to the port, the Actions column displays Associate Existing Policy instead of View Applied Policy. Unbind Policy: Click Unbind Policy to detach the policy from the port. Remove Port: Click Remove Port to remove the port. If Protection Disabled is displayed in the Protection Status column of the port, you can perform the following operations: Enable Protection: Click Enable Protection to enable the mitigation policy for the port. Associate Existing Policy: Click Associate Existing Policy to attach an existing mitigation policy to the port. Remove Port: Click Remove Port to remove the port.

What to do next

Manage a protected object

You can attach a mitigation policy to a protected object.

1. Click View Applied Policy in the Actions column of the required public IP address of your asset. On the page that appears, click Create Mitigation Policy in the upper-right corner.
2. Find the policy that you want to attach to the public IP address and click Add Object for Protection in the Actions column. In the View Applicable Object panel, click Add Protected Asset.
3. In the Add Object for Protection panel, search for the public IP address of your asset by region and instance. Select the public IP address and click the icon. Then, click Add.

If you want to change the mitigation policy for a protected object, you must remove the protected object from the policy and then attach another policy to the protected object. For more information, see Use the mitigation settings feature (public preview).

If you want to detach the mitigation policy from a protected object, you must remove the protected object from the policy. For more information, see Use the mitigation settings feature (public preview).

Manage a port-specific mitigation policy (only available for a EIP that has Anti-DDoS (Enhanced) enabled)

Add a port to a port-specific mitigation policy

1. Find the required public IP address and click Add Port in the Actions column. In the dialog box that appears, specify Port Number and click OK.
2. In the Port list, find the port that you added and click Associate Existing Policy in the Actions column.
3. In the Associate Existing Policy dialog box, select a mitigation policy and click OK.
4. Click Enable Protection in the Actions column.
   Warning When you add a port to a port-specific mitigation policy, a transient connection that lasts a few seconds occurs on your TCP-based services. We recommend that you add a port to a port-specific mitigation policy during off-peak hours.

Change the port-specific mitigation policy for a port

1. Find the required public IP address and click the icon to the left of the IP address to expand the port list.
2. Find the required port and click More in the Actions column. Then, click Unbind Policy to detach the mitigation policy from the port.
3. Click Associate Existing Policy in the Actions column to attach another mitigation policy to the port.

Detach a port-specific mitigation policy from a port

1. Find the required public IP address and click the icon to the left of the IP address to expand the port list.
2. Find the required port and click More in the Actions column. Then, click Remove Port.

Manually deactivate blackhole filtering

If the Status column of a protected object displays Blackholing, you can manually deactivate blackhole filtering for the protected object.

1. Log on to the Traffic Security console.
2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.
3. In the top navigation bar, select the resource group and region of your instance.
4. Select the required protected object and find the public IP address for which you want to manually deactivate blackhole filtering. Then, click Deactivate Black Hole in the Actions column.
5. In the Deactivate Black Hole message, view the remaining number of times that you can deactivate blackhole filtering and click OK.

FAQ

• When I add the IP address of a service, the system prompts that the number of IP addresses reaches the upper limit. What do I do?
• What do I do if the error message "The IP address does not belong to your account" is displayed when I add an IP address to Anti-DDoS Origin?

References

• Use the mitigation settings feature (public preview)
• Manage instances
• Cancel traffic cleaning
• View the point in time when blackhole filtering is triggered for an asset and the reason why blackhole filtering is triggered