Use the mitigation settings feature (previous version) - Anti-DDoS

This topic describes how to configure custom mitigation policies for an Anti-DDoS instance of a paid edition.

Overview

After you add your asset that is assigned a public IP address to an Anti-DDoS instance of a paid edition for protection, the instance uses the default mitigation policy to protect the asset. You can create custom mitigation policies based on your business requirements to allow or deny service traffic that has specific characteristics. After your asset encounters DDoS attacks, you can view the characteristics of the attack traffic in mitigation logs or on the Attack Analysis page. Then, you can adjust the custom mitigation policies. This improves the DDoS mitigation effect. An asset that is assigned a public IP is referred as an asset for short in the following sections. For more information about how to view mitigation logs and information on the Attack Analysis page, see Query mitigation logs and View information on the Attack Analysis page.

Mitigation policy types

You can configure different rules for mitigation policies of the IP-specific Mitigation Policy (Attack-triggered), IP-specific Mitigation Policy (Parallel), and Port-specific Mitigation Policy types. We recommend that you configure mitigation policies of all types at the same time. If a DDoS attack occurs, the mitigation policies of the following types are applied in sequence: IP-specific Mitigation Policy (Attack-triggered), IP-specific Mitigation Policy (Parallel), and Port-specific Mitigation Policy. A mitigation policy of the Cross-border Traffic Blocking Policy - Default type has a validity period and a quota limit. We recommend that you configure this type of mitigation policy when a DDoS attack occurs.

Policy type	Description
IP-specific Mitigation Policy (Attack-triggered)	If the attack traffic that is sent to your asset exceeds the traffic scrubbing threshold, the system automatically mitigates Layer 3 and Layer 4 volumetric DDoS attacks based on the mitigation policy that you configured until the attack stops.
IP-specific Mitigation Policy (Parallel)	The mitigation policy that you configured for your asset takes effect on all service traffic that passes through the asset. If the service traffic that has specific characteristics matches a rule in the policy, the system processes the service traffic based on the specified action. This type of mitigation policy can be used to mitigate Layer 3 and Layer 4 DDoS attacks and HTTP flood attacks.
Port-specific Mitigation Policy	This type of mitigation policy can be used to mitigate TCP flood attacks (Layer 4 HTTP flood attacks) that are launched against your non-website service and detect and filter application-layer traffic in a fine-grained manner. If the traffic that has specific characteristics matches the policy, the system allows or blocks the traffic.
Cross-border Traffic Blocking Policy - Default	You can configure this type of mitigation policy to block cross-border traffic. This type of mitigation policy is suitable for scenarios in which your service does not involve cross-border traffic. This type of mitigation policy typically denies traffic from specific regions based on the location of the attack source by using core routers in the backbone network of an Internet service provider (ISP). Note The Port Blocking rule of IP-specific Mitigation Policy (Parallel) denies traffic from specific regions based on the location of the attacked object. If you configure this type of mitigation policy for your asset that resides in a region in the Chinese mainland, the mitigation policy blocks traffic that is initiated outside the Chinese mainland. If you configure this type of mitigation policy for your asset that resides in a region outside the Chinese mainland, the mitigation policy blocks traffic that is initiated from the Chinese mainland. You can use this type of mitigation policy to block traffic up to 10 times per month for each instance.

Supported regions for different types of mitigation policies

During the public preview, you can configure mitigation policies free of charge. However, only some regions are supported, and limited functionalities are provided, as described in the following table. If the mitigation policies cannot meet your business requirements, you can submit a ticket to contact technical support.

In the following table, a tick

Asset type	Region	IP-specific Mitigation Policy (Attack-triggered)	IP-specific Mitigation Policy (Parallel)	Port-specific Mitigation Policy	Cross-border Traffic Blocking Policy - Default
Asset that is added to an Anti-DDoS Origin 1.0 or Anti-DDoS Origin 2.0 instance	Chinese mainland
	Regions outside the Chinese mainland	Supported regions: China (Hong Kong), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), Japan (Tokyo), Singapore, Indonesia (Jakarta), and Malaysia (Kuala Lumpur)
Elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled	Chinese mainland			Supported only in the China (Hangzhou) region
Elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled	Regions outside the Chinese mainland	Supported regions: China (Hong Kong), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), Japan (Tokyo), Singapore, Indonesia (Jakarta), and Malaysia (Kuala Lumpur)	Supported regions: China (Hong Kong), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), Japan (Tokyo), and Singapore
Asset that is added to an anti-DDoS diversion instance	Regions outside the Chinese mainland

IP-specific Mitigation Policy (Attack-triggered)

Prerequisites

An Anti-DDoS Origin 1.0 or Anti-DDoS Origin 2.0 instance is purchased, and an asset is added to the instance. For more information, see Add objects for protection.
An EIP with Anti-DDoS (Enhanced) enabled is purchased. The EIP with Anti-DDoS (Enhanced) enabled is automatically added for protection.

Create a mitigation policy and add an object for protection

Log on to the Traffic Security console.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
Click Create Policy, specify Policy Name, set Select Policy Type to IP-specific Mitigation Policy (Attack-triggered), and then click OK.
In the The policy is created. message, click OK.
Configure rules for the mitigation policy and click Next.

Important

The following types of rules are listed in descending order of priority: the blacklist rule, the ICMP Blocking rule, the whitelist rule, the Port Blocking rule, and the Byte-Match Filter rule.

Rule	Description	Configuration
ICMP Blocking	This type of rule denies Internet Control Message Protocol (ICMP) requests during traffic scrubbing. This protects servers from malicious scans and helps mitigate ICMP flood attacks. Note This rule takes effect on the IP addresses in the whitelist. ICMP requests that are sent from the IP addresses are also denied.	Turn on Status. In the message that appears, click OK.
Port Blocking	This type of rule denies UDP or TCP requests that are sent over the source or destination ports to mitigate UDP reflection attacks. Important We recommend that you configure a rule of this type based on the following suggestions: If your asset does not provide UDP services, we recommend that you block all source UDP ports. If your asset provides UDP services later, adjust the mitigation policy in a timely manner. If your asset provides UDP services, we recommend that you block the common source ports that are exploited by UDP reflection attacks. The ports include ports 1 to 52, ports 54 to 161, port 389, port 1900, and port 11211.	Make sure that the port ranges of two port blocking rules that have the same protocol and port type do not overlap. You can create up to eight rules. In the Port Blocking section, click Settings. In the Configure Source Port Blocking panel, click Add Port. In the Add Port panel, configure the parameters and click OK. Protocol: the protocol of the requests that you want to block. Valid values: TCP and UDP. Source Port Range: the range of source ports. Valid values: 1 to 65535. Destination Port Range: the range of destination ports. Valid values: 1 to 65535. Action: the action on the requests that use the specified protocol and ports. The value is fixed as Discard.
Blacklist and Whitelist	The blacklist rule denies requests from specific source IP addresses, and the whitelist rule allows requests from specific source IP addresses.	In the Blacklist and Whitelist section, click Settings. In the Blacklist and Whitelist panel, click Add IP Address to Blacklist or Whitelist. In the panel that appears, add IP addresses on the Blacklist and Whitelist tabs and click OK.
Byte-Match Filter	This type of rule matches bytes for the content of specific packets to deny, allow, or limit the rates of requests when the instance performs traffic scrubbing. In most cases, attack packets that are forged by attack tools have the same feature fields. For example, the attack packets contain the same string or content.	In the Byte-Match Filter section, click Settings. In the Configure Byte-Match Filter panel, click Add Feature. Configure the following parameters and click OK. Protocol: the type of the protocol. Valid values: TCP and UDP. Source Port Range: the range of source ports. Valid values: 0 to 65535. Destination Port Range: the range of destination ports. Valid values: 0 to 65535. Packet Length Range: the range of packet lengths. Valid values: 1 to 1500. Unit: bytes. Offset: the offset of bytes in UDP or TCP packets. Valid values: 0 to 1500. Unit: bytes. If you set this parameter to 0, the system starts matching from the first byte. Payload: the matching payload of UDP or TCP packets. You must enter a hexadecimal string that starts with 0x. Action: the action on the requests that match the specified conditions. Valid values: Pass, Discard, Limit Bandwidth of Source IP Address, and Limit Bandwidth of Session. If you select Limit Bandwidth of Source IP Address or Limit Bandwidth of Session, you must specify Bandwidth. Valid values of Bandwidth: 1 to 100000. Unit: packets per second (pps). You can manage the Byte-Match Filter rules that you configured in the Configure Byte-Match Filter panel. For example, you can click Edit, Delete, Move Down, or Move Up to manage the rules. Note You can change the order of rules to manage the rules in an efficient manner. The change does not affect the rules.

In the Objects to Select section of the Protected Assets section, search for the asset on which you want the configured rules to take effect by region and instance name and click Add.
Note
An asset can be added to only one mitigation policy of the IP-specific Mitigation Policy (Attack-triggered) type.

IP-specific Mitigation Policy (Parallel)

After you purchase an EIP with Anti-DDoS (Enhanced) enabled, the EIP with Anti-DDoS (Enhanced) enabled is automatically added for protection. You do not need to manually add the EIP with Anti-DDoS (Enhanced) enabled. You need to only create an IP-specific Mitigation Policy (Parallel) and bind the policy to the EIP with Anti-DDoS (Enhanced) enabled.

Create a mitigation policy and add an object for protection

Log on to the Traffic Security console.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
Click Create Policy, specify Policy Name, set Select Policy Type to IP-specific Mitigation Policy (Parallel), and then click OK.
In the The policy is created. message, click OK.

Configure rules for the mitigation policy and then click Next.

Important

The following types of rules are listed in descending order of priority: the Blacklist and Whitelist rule, the Reflection Attack Filtering rule, the Location Blacklist rule, and the Source Rate Limiting rule.

Rule	Description	Configuration
Intelligent Protection	This type of rule provides effective protection against Layer-4 connection flood attacks. The intelligent engine based on big data analytics automatically learns traffic patterns of your service, and detects and blocks Layer-4 connection flood attacks.	In the Intelligent Protection section, click Settings. In the Intelligent Protection dialog box, configure Status and Level, and click OK. The following section describes the protection capabilities that are provided by the intelligent protection rule at each level: Loose: The intelligent protection rule at the Loose level protects your assets against malicious IP addresses that have attack characteristics. The Loose policy may allow attacks but has a low false positive rate. The Loose policy is developed based on data of historical service traffic, expert experience, and algorithms. Normal: The intelligent protection rule at the Normal level protects your assets against malicious and suspicious IP addresses that have attack characteristics. The Normal policy helps achieve balance between protection effects and low false positive rates. The Normal policy is developed based on data of historical service traffic, expert experience, and algorithms. Strict: The intelligent protection rule at the Strict level provides strong protection against attacks. The Strict rule causes false positives in some cases. The Strict rule is developed based on data of historical service traffic, expert experience, and algorithms. Important After you create a mitigation policy, the intelligent protection rule is automatically enabled and set to the Normal level. In this case, the intelligent engine based on big data analytics requires approximately three days to provide optimal protection after it learns signatures of your service traffic.
Blacklist and Whitelist	This type of rule allows you to filter out or allow traffic from specified source IP addresses. Traffic from IP addresses in the blacklist is blocked. Traffic from IP addresses in the whitelist is allowed.	In the Blacklist and Whitelist section, click Settings. In the Configure Blacklist and Whitelist panel, add IP addresses on the Blacklist and Whitelist tabs. Important If you add an IP address to the blacklist, you must specify a validity period for the blacklist. The validity period can be up to seven days. The validity period setting takes effect on all IP addresses that are added to the blacklist.
Location Blacklist	This type of rule allows you to configure a location blacklist for each IP address that is protected by Anti-DDoS Origin. The blacklist can block traffic from IP addresses by geographic location. After the location blacklist is enabled, the traffic that is initiated from the blocked locations to the protected IP address is blocked.	In the Location Blacklist section, click Settings. In the Configure Location Blacklist panel, select the locations that you want to block and click OK.
Source Rate Limiting	This type of rule allows you to specify thresholds to limit the rates at which source IP addresses access a protected IP address. If the access rate of a source IP address reaches a specified threshold after you enable the rule, the source IP address is added to the blacklist or access from the IP address is limited. All traffic from a source IP address that is added to the blacklist is blocked.	In the Source Rate Limiting section, click Settings. In the Configure Source Rate Limiting panel, configure Source PPS, Source Bandwidth, PPS of Source SYN Packets, and Bandwidth of Source SYN Packets. Then, click OK. You can specify a threshold for each type of access rate and specify whether a source IP address is added to the blacklist when the access rate of the IP address reaches a threshold.
Reflection Attack Filtering	This type of rule monitors and protects only UDP traffic. Anti-DDoS Origin blocks UDP traffic from the source ports that you specify. This helps block common UDP reflection attacks.	In the Reflection Attack Filtering section, click Settings. In the Configure Filtering Policies for UDP Reflection Attacks panel, select source ports of reflection in the One-click Filtering Policy section based on your business requirements. You can also add other source ports of reflection in the Custom Filtering Policy section. Note The One-click Filtering Policy section lists common UDP reflection attacks. If your asset does not provide UDP services, we recommend that you block all source UDP ports.

In the Objects to Select section of the Protected Assets section, search for the asset on which you want the configured rules to take effect by region and instance name and click Add.
Note
An EIP with Anti-DDoS (Enhanced) enabled can be added to only one mitigation policy of the IP-specific Mitigation Policy (Parallel) type.

Port-specific Mitigation Policy

After you purchase an EIP with Anti-DDoS (Enhanced) enabled, the EIP with Anti-DDoS (Enhanced) enabled is automatically added for protection. However, you must add a port of the EIP with Anti-DDoS (Enhanced) enabled to a mitigation policy of the Port-specific Mitigation Policy type for the mitigation policy to take effect.

Prerequisites

A port of an EIP with Anti-DDoS (Enhanced) enabled is added to a mitigation policy on the Protected Objects page. For more information, see Add objects for protection.

Create a mitigation policy and add an object for protection

Log on to the Traffic Security console.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
Click Create Policy, specify Policy Name, set Select Policy Type to IP-specific Port-specific Mitigation Policy, and then click OK.
In the The policy is created. message, click OK.

Configure rules for the mitigation policy and click Next.

Parameter	Description
Rule Name	The name of the rule. Note You can add up to 10 rules to each mitigation policy.
Minimum Bytes to Trigger Matching	The minimum number of bytes in a session to trigger matching. Valid values: 0 to 2048. If you set this parameter to 1500 and the number of bytes in a session is less than 1500, the rule does not take effect.
Rule Type	The type of session to detect. Valid values: String Match (ASCII) Hexadecimal String Match
Match Conditions	Start Position: the start position of the detection. Valid values: 0 to 2047. The value 0 indicates the first byte. The value 1 indicates the second byte. All values follow the same rule. Match Range in Bytes from Start Position: the number of bytes detected from the start position. Valid values: 1 to 2048. If you set this parameter to 20 and the Start Position parameter to 10, the eleventh to thirtieth bytes in a session are detected. Term to Match: the content to match. The content is a string and can be up to 2,048 characters in length.
Priority	The priority of the detection. The smaller the value, the higher the priority is. Valid values: 1 to 100.
Logical Operator	The condition based on which an action is performed. Valid values: Hit Not Hit
Action	The method to process a session that hits the rule. The value is fixed as Discard.

In the Protected Assets section of the Objects to Select step, search for the required port and protocol by region, EIP name, and IP address. Then, select the port and protocol and click Add.

Cross-border Traffic Blocking Policy - Default

If you want to block cross-border traffic that is destined for your asset, you can configure a cross-border traffic blocking mitigation policy. After the blocking period that you specify ends, the policy automatically stops blocking cross-border traffic. If you no longer want to block cross-border traffic, you can manually disable cross-border traffic blocking in advance.

Prerequisites

An Anti-DDoS Origin 1.0 or Anti-DDoS Origin 2.0 instance is purchased, and an asset is added to the instance. For more information, see Add objects for protection.
An EIP with Anti-DDoS (Enhanced) enabled is purchased. The EIP with Anti-DDoS (Enhanced) enabled is automatically added for protection.

Enable cross-border traffic blocking

Log on to the Traffic Security console.
In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
On the Mitigation Settings page, select Cross-border Traffic Blocking Policy - Default. Find the policy that you want to manage and click Modify Policy in the Actions column.
In the Protection Rule section, search for one or more assets for which you want to configure a rule by region and instance name.
- To enable cross-border traffic blocking for a single asset, turn on the switch in the Near-origin Blackhole Filtering column. In the dialog box that appears, specify a blocking period and click Ok.
- To enable cross-border traffic blocking for multiple assets, select the public IP addresses and click Batch Block. In the dialog box that appears, specify a blocking period and click Ok.
You can view the Start Time and End Time that you specify for an asset in the asset list. After the blocking period ends, cross-border traffic blocking is automatically disabled and the switch in the Near-origin Blackhole Filtering column is turned off.
Note
You cannot modify the blocking period after it is applied. If you want to modify the blocking period, you must disable the protection rule that is applied before you specify a new blocking period.

Manually disable cross-border traffic blocking

On the Mitigation Settings page, select Cross-border Traffic Blocking Policy - Default. Find the policy that you want to manage and click Modify Policy in the Actions column.
In the Protection Rule section, search for one or more assets for which you want to disable cross-border traffic blocking by region and instance name.
- To disable cross-border traffic blocking for a single asset, turn off the switch in the Near-origin Blackhole Filtering column. In the message that appears, click Ok.
- To disable cross-border traffic blocking for multiple assets, select the public IP addresses and click Batch Allow. In the message that appears, click Ok.

Related operations

You can also perform the following operations on a mitigation policy of the IP-specific Mitigation Policy (Attack-triggered), IP-specific Mitigation Policy (Parallel), or Port-specific Mitigation Policy type:

Add an object to a mitigation policy for protection or remove a protected object from a mitigation policy: On the Mitigation Settings page, find the mitigation policy type and the mitigation policy that you want to manage, and click Add Object for Protection in the Actions column.
Modify or delete a mitigation policy: On the Mitigation Settings page, find the mitigation policy type and the mitigation policy that you want to manage, and click Modify Protection Rule or Delete in the Actions column.
Important
- After you modify a mitigation policy, the new mitigation policy takes effect on all protected objects. Proceed with caution.
- If an object is added to a mitigation policy for protection when you delete the mitigation policy, you cannot delete the mitigation policy. You must remove the protected object from the mitigation policy before you can delete the mitigation policy.