Anti-DDoS Proxy offers a feature for blacklisting or whitelisting domain names, allowing or blocking access requests from specific IP addresses without applying any protection policies.
Whitelist: Permits trusted IP addresses, such as internal office networks, business API callers, and other verified IPs, to access your service without applying any protection policies.
Blacklist: Blocks access requests from specific IP addresses.
If an IP address appears on both the blacklist and the whitelist, the whitelist takes precedence.
Anti-DDoS Proxy supports two types of blacklists and whitelists:
IP-address-based: Applies to all services added to an instance. Covers port services. For details, see Configure blacklists and whitelists for IP addresses.
Domain-name-based: Applies to specific domain names only. The following sections describe domain-name-based configuration.
Prerequisites
A website service is added to Anti-DDoS Proxy. For details, see Add websites.
Configure a blacklist or whitelist for a domain name
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose .
On the General Policies page, select the Protection for Website Services tab, and then select the domain name from the list on the left.
In the Blacklist and Whitelist section, click Settings.
In the Configure Blacklist and Whitelist dialog box, enter IP addresses or CIDR blocks for the blacklist and whitelist, and then click OK. Separate multiple entries with commas. Both IP address and subnet mask formats are supported.
Back in the Blacklist and Whitelist section, toggle the Status switch to activate the settings.
Verify the configuration
After you enable the policy, confirm that the blacklist and whitelist work as expected:
Send a request from a blacklisted IP and verify that the request is blocked.
Send a request from a whitelisted IP and verify that the request is allowed.
Validity period
The policy is permanently effective. Once enabled, the settings apply to each instance associated with the domain names and immediately affect traffic.
Occasionally, blacklist and whitelist policies take effect only after your instance receives and processes specific inbound traffic. If the settings do not take effect after you enable the policy, access the domain names several times to trigger activation.
Limits
Entry limits by plan
| Plan | Blacklist entries | Whitelist entries | Scope |
|---|---|---|---|
| Standard | 200 | 200 | All domain names under the same Alibaba Cloud account |
| Enhanced | 2,000 | 2,000 | All domain names under the same Alibaba Cloud account |
IP address and CIDR block restrictions
| Restriction | IPv4 | IPv6 |
|---|---|---|
| Supported formats | IPv4 addresses and CIDR blocks | IPv6 addresses and CIDR blocks |
| Instance requirement | IPv4-only instances | IPv6-only instances |
| CIDR prefix length (blacklist) | /8 to /32 | /32 to /128 |
| CIDR prefix length (whitelist) | /9 to /32 | /32 to /128 |
| Forbidden addresses | 0.0.0.0, 255.255.255.255 | ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
CIDR blocks with a subnet mask of /0 to /8 cannot be added to the whitelist.
CIDR block examples:
| Notation | Description |
|---|---|
192.168.1.1 or 192.168.1.1/32 | Single IPv4 address |
192.168.1.0/24 | IPv4 range: 192.168.1.0 -- 192.168.1.255 (256 addresses) |
10.0.0.0/8 | IPv4 range: 10.0.0.0 -- 10.255.255.255 (blacklist only) |
2001:db8::1/128 | Single IPv6 address |
2001:db8::/32 | IPv6 range starting at 2001:db8:: |
References
To identify source IP addresses involved in attacks, visit the Attack Analysis page. Consider adding suspicious IPs to the blacklist. For details, see View information on the Attack Analysis page.