After you add the public IP address of your asset to an Anti-DDoS Origin Enterprise instance, you can configure a mitigation policy to allow or deny service traffic that has specific characteristics. This helps improve DDoS mitigation effects. This topic describes how to configure different types of mitigation policies.

Mitigation policy types

Anti-DDoS Origin Enterprise supports the following types of mitigation policies.

Type Description
IP-specific Mitigation Policy (Attack-triggered) If the attack traffic that is sent to the public IP address of your asset exceeds the traffic scrubbing threshold, the system automatically mitigates Layer 3 and Layer 4 volumetric DDoS attacks based on the mitigation policy that you configured until the attack stops.
IP-specific Mitigation Policy (Parallel) The mitigation policy that you configured for the public IP address of your asset takes effect on all service traffic that passes through the asset. If the service traffic that has specific characteristics matches a rule in the policy, the system processes the service traffic based on the specified action. This type of mitigation policy can be used to mitigate Layer 3 and Layer 4 DDoS attacks and HTTP flood attacks.
Port-specific Mitigation Policy This type of mitigation policy can be used to mitigate TCP flood attacks (Layer 4 HTTP flood attacks) that are launched against your non-website service and detect and filter application-layer traffic in a fine-grained manner. If the traffic that has specific characteristics matches the policy, the system allows or blocks the traffic.
Cross-border Traffic Blocking Policy - Default You can configure this type of mitigation policy to block cross-border traffic. This type of mitigation policy is suitable for scenarios in which your service does not involve cross-border traffic.
  • If you configure this type of mitigation policy for your asset that resides in a region in the Chinese mainland, the mitigation policy blocks traffic that is initiated outside the Chinese mainland.
  • If you configure this type of mitigation policy for your asset that resides in a region outside the Chinese mainland, the mitigation policy blocks traffic that is initiated from the Chinese mainland.
You can use this type of mitigation policy to block traffic up to 10 times per month for each Anti-DDoS Origin Enterprise instance.

Supported regions for different types of mitigation policies

In the following table, a tick (Tick) indicates that the type of mitigation policy is supported, and a cross (Cross) indicates that the type of mitigation policy is not supported.
Asset type Region IP-specific Mitigation Policy (Attack-triggered) IP-specific Mitigation Policy (Parallel) Port-specific Mitigation Policy Cross-border Traffic Blocking Policy - Default
Asset whose public IP address is added to an Anti-DDoS Origin Enterprise instance (The asset can be an Elastic Compute Service (ECS) instance, Server Load Balancer (SLB) instance, EIP that is associated with a NAT gateway, simple application server, Web Application Firewall (WAF) instance, or virtual private cloud (VPC).) Regions in the Chinese mainland Tick Cross Cross Tick
Regions outside the Chinese mainland Cross Cross Cross Tick
Elastic IP address (EIP) with Anti-DDoS (Enhanced Edition) enabled Regions in the Chinese mainland Cross Tick Supported only in the China (Hangzhou) region Tick
Regions outside the Chinese mainland Cross Tick Cross Tick
Asset that is added to an on-demand instance Regions outside the Chinese mainland Cross Cross Cross Cross

Prerequisites

IP-specific Mitigation Policy (Attack-triggered)

When you configure this type of mitigation policy for the public IP address of your asset, you can check whether an existing mitigation policy meets your business requirements. If an existing mitigation policy meets your business requirements, you can add the public IP address of your asset to the mitigation policy. If no existing mitigation policies meet your business requirements, you must create a mitigation policy and add the public IP address of your asset to the mitigation policy.

Create a mitigation policy and add an object for protection

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
  3. Click Create Policy. In the panel that appears, specify Policy Name. In the Select Policy Type section, select IP-specific Mitigation Policy (Attack-triggered). Then, click OK.
  4. In the The policy is created. message, click OK.
  5. Configure rules for the mitigation policy and then click Next.
    Important The following types of rules are listed in descending order of priority: the blacklist rule, the ICMP Blocking rule, the whitelist rule, the Source Port Blocking rule, and the Byte-Match Filter rule.
    Rule Description Configuration
    ICMP Blocking This type of rule denies Internet Control Message Protocol (ICMP) requests during traffic scrubbing. This protects servers from malicious scans and helps mitigate ICMP flood attacks. In the ICMP Blocking section, turn on Status. In the message that appears, click OK.
    Note This rule takes effect on the IP addresses in the whitelist. ICMP requests that are sent from the IP addresses are also denied.
    Source Port Blocking This type of rule denies UDP or TCP requests that are sent over the source or destination ports to mitigate UDP reflection attacks. In the Source Port Blocking section, click Configure. In the Configure Source Port Blocking panel, click Add. In the Add Port panel, configure the parameters to add ports and click OK.
    • Protocol: the protocol of the requests that you want to block. Valid values: TCP and UDP.
    • Type: the type of port used by the requests that you want to block. Valid values: Source Port and Destination Port.
    • Port Range: the range of ports used by the requests that you want to block. Valid values: 1 to 65535.
      Note Make sure that the port ranges of two port blocking rules that have the same protocol and port type do not overlap.
    • Action: the action on the requests that use the specified protocol and ports. The value is fixed as Block.
    Important We recommend that you configure a rule of this type based on the following suggestions:
    • If your asset does not provide UDP services, we recommend that you block all source UDP ports.
    • If your asset provides UDP services, we recommend that you block the common source ports that are exploited by UDP reflection attacks. The ports include ports 1 to 52, ports 54 to 161, port 389, port 1900, and port 11211.
    Blacklist and Whitelist The blacklist rule denies requests from specific source IP addresses, and the whitelist rule allows requests from specific source IP addresses. In the Blacklist and Whitelist section, click Configure. In the Blacklist and Whitelist panel, click Add IP Addresses. In the panel that appears, add IP addresses on the Blacklist and Whitelist tabs and click OK.
    Byte-Match Filter This type of rule matches bytes for the content of specific packets to deny, allow, or limit the rates of requests when the instance performs traffic scrubbing. In the Fingerprint Filtering section, click Configure. In the Configure Byte-Match Filter panel, click Add. In the Add Byte-Match Filter Rule panel, configure the following parameters and click OK.
    • Protocol: the type of the protocol. Valid values: TCP and UDP.
    • Source Port Range: the range of source ports. Valid values: 0 to 65535.
    • Destination Port Range: the range of destination ports. Valid values: 0 to 65535.
    • Packet Length Range: the range of packet lengths. Valid values: 1 to 1500. Unit: bytes.
    • Offset: the offset of bytes in UDP or TCP packets. Valid values: 0 to 1500. Unit: bytes.

      If you set this parameter to 0, the system starts matching from the first byte.

    • Payload: the matching payload of UDP or TCP packets. You must enter a hexadecimal string that starts with 0x.
    • Action: the action on the requests that match the specified conditions. Valid values: Allow, Block, Limit Bandwidth of Source IP Address, and Limit Bandwidth of Session.

      If you select Limit Bandwidth of Source IP Address or Limit Bandwidth of Session, you must specify Bandwidth. Valid values of Bandwidth: 1 to 100000. Unit: packets per second (pps).

    You can manage the Byte-Match Filter rules that you configured in the Configure Byte-Match Filter panel. For example, you can click Edit, Delete, Move Down, or Move Up to manage the rules.
    Note You can change the order of rules to manage the rules in an efficient manner. The change does not affect the rules.
  6. Add the public IP address of your asset to the mitigation policy.
    In the Objects to Select section of Target assets, search for the public IP address of your asset on which you want the configured rules to take effect by region and instance name. Then, select the public IP address of your asset and click the Rightwards arrow icon. Then, click Add.
    Note A public IP address can be added to only one mitigation policy. You cannot select a public IP address that is added to a different mitigation policy.

Add an object to a mitigation policy for protection or remove a protected object from a mitigation policy

  • Add an object
    1. On the Mitigation Setting page, select IP-specific Mitigation Policy (Attack-triggered). Find the mitigation policy to which you want to add an object for protection and click Add Object for Protection in the Actions column.
    2. In the View Applicable Object panel, click Add Protected Asset. In the Objects to Select section of Target assets, search for the public IP address of your asset by region and instance name. Select the public IP address of your asset and click the Rightwards arrow icon. Then, click Add.
  • Remove a protected object from a mitigation policy
    1. On the Mitigation Setting page, select IP-specific Mitigation Policy (Attack-triggered). Find the mitigation policy from which you want to remove a protected object and click Add Object for Protection in the Actions column.
    2. Find the public IP address of the asset that you want to remove and click Delete in the Actions column. If you want to remove multiple public IP addresses, select the IP addresses and click Batch Delete.

Modify or delete a mitigation policy

  1. On the Mitigation Setting page, select IP-specific Mitigation Policy (Attack-triggered).
  2. Find the mitigation policy that you want to modify and click Modify Protection Rule in the Actions column. After you modify the mitigation policy, click OK.
    Important After you modify a mitigation policy, the new mitigation policy takes effect on all protected objects. Proceed with caution.
  3. Find the mitigation policy that you want to delete and click Delete in the Actions column. In the message that appears, click OK.
    If an object is added to the mitigation policy for protection, you cannot delete the mitigation policy. You must remove the protected object from the mitigation policy before you can delete the mitigation policy.

IP-specific Mitigation Policy (Parallel)

When you configure a mitigation policy for a public IP address that is assigned to your EIP with Anti-DDoS (Enhanced Edition) enabled, you can check whether an existing mitigation policy meets your business requirements. If an existing mitigation policy meets your business requirements, you can add the public IP address to the mitigation policy as a protected object. If no existing mitigation policies meet your business requirements, you must create a mitigation policy and add the public IP address to the mitigation policy as a protected object.

Create a mitigation policy and add an object for protection

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
  3. Click Create Policy. In the panel that appears, specify Policy Name. In the Select Policy Type section, select IP-specific Mitigation Policy (Parallel). Then, click OK.
  4. In the The policy is created. message, click OK.
  5. Configure rules for the mitigation policy and then click Next.
    Important The following types of rules are listed in descending order of priority: the Blacklist and Whitelist rule, the Reflection Attack Filtering rule, the Location Blacklist rule, and the Source Rate Limiting rule.
    Rule Description Configuration
    Intelligent Protection This type of rule provides effective protection against Layer-4 connection flood attacks. The intelligent engine based on big data analytics automatically learns traffic patterns of your service, and detects and blocks Layer-4 connection flood attacks. In the Intelligent Protection section, click Configure. In the Intelligent Protection dialog box, configure Status and Level, and click OK. The following section describes the protection capabilities that are provided by the intelligent protection rule at each level:
    • Loose: The intelligent protection rule at the Loose level protects your assets against malicious IP addresses that have attack characteristics. The Loose policy may allow attacks but has a low false positive rate. The Loose policy is developed based on data of historical service traffic, expert experience, and algorithms.
    • Normal: The intelligent protection rule at the Normal level protects your assets against malicious and suspicious IP addresses that have attack characteristics. The Normal policy helps achieve balance between protection effects and low false positive rates. The Normal policy is developed based on data of historical service traffic, expert experience, and algorithms.
    • Strict: The intelligent protection rule at the Strict level provides strong protection against attacks. The Strict rule causes false positives in some cases. The Strict rule is developed based on data of historical service traffic, expert experience, and algorithms.
    Important After you create a mitigation policy, the intelligent protection rule is automatically enabled and set to the Normal level. In this case, the intelligent engine based on big data analytics requires approximately three days to provide optimal protection after it learns signatures of your service traffic.
    Blacklist and Whitelist This type of rule allows you to filter out or allow traffic from specified source IP addresses. Traffic from IP addresses in the blacklist is blocked. Traffic from IP addresses in the whitelist is allowed. In the Blacklist and Whitelist section, click Configure. In the Configure Blacklist and Whitelist panel, add IP addresses on the Blacklist and Whitelist tabs.
    Important If you add an IP address to the blacklist, you must specify a validity period for the blacklist. The validity period can be up to seven days. The validity period setting takes effect on all IP addresses that are added to the blacklist.
    Location Blacklist This type of rule allows you to configure a location blacklist for each IP address that is protected by Anti-DDoS Origin. The blacklist can block traffic from IP addresses by geographic location. After the location blacklist is enabled, the traffic that is initiated from the blocked locations to the protected IP address is blocked. In the Location Blacklist section, click Configure. In the Configure Location Blacklist panel, select the locations that you want to block and click OK.
    Source Rate Limiting This type of rule allows you to specify thresholds to limit the rates at which source IP addresses access a protected IP address. If the access rate of a source IP address reaches a specified threshold after you enable the rule, the source IP address is added to the blacklist or access from the IP address is limited. All traffic from a source IP address that is added to the blacklist is blocked. In the Source Rate Limiting section, click Configure. In the Configure Source Rate Limiting panel, configure Source PPS, Source Bandwidth, PPS of Source SYN Packets, and Bandwidth of Source SYN Packets. Then, click OK. You can specify a threshold for each type of access rate and specify whether a source IP address is added to the blacklist when the access rate of the IP address reaches a threshold.
    Reflection Attack Filtering This type of rule monitors and protects only UDP traffic. Anti-DDoS Origin blocks UDP traffic from the source ports that you specify. This helps block common UDP reflection attacks. In the Reflection Attack Filtering section, click Configure. In the Configure Filtering Policies for UDP Reflection Attacks panel, select source ports of reflection in the One-click Filtering Policy section based on your business requirements. You can also add other source ports of reflection in the Custom Filtering Policy section.
  6. Add a public IP address that is assigned to your EIP with Anti-DDoS (Enhanced Edition) enabled to the mitigation policy.
    In the Objects to Select section of Target assets, search for the assigned IP address on which you want the configured rules to take effect by region and EIP name. Select the assigned IP address and click the Rightwards arrow icon. Then, click Add.

Add an object to a mitigation policy for protection or remove a protected object from a mitigation policy

  • Add an object
    1. On the Mitigation Setting page, select IP-specific Mitigation Policy (Parallel). Find the mitigation policy to which you want to add an object for protection and click Add Object for Protection in the Actions column.
    2. In the View Applicable Object panel, click Add Protected Asset. In the Objects to Select section of Target assets, search for the assigned IP address on which you want the configured rules to take effect by region and EIP name. Select the assigned IP address and click the Rightwards arrow icon. Then, click Add.
  • Remove a protected object from a mitigation policy
    1. On the Mitigation Setting page, select IP-specific Mitigation Policy (Parallel). Find the mitigation policy from which you want to remove a protected object and then click Add Object for Protection in the Actions column.
    2. Find the assigned IP address that you want to remove and click Delete in the Actions column. If you want to remove multiple public IP addresses, select the IP addresses and click Batch Delete.

Modify or delete a mitigation policy

  1. On the Mitigation Setting page, select IP-specific Mitigation Policy (Parallel).
  2. Find the mitigation policy that you want to modify and click Modify Protection Rule in the Actions column. After you modify the mitigation policy, click OK.
    Important After you modify a mitigation policy, the new mitigation policy takes effect on all protected objects. Proceed with caution.
  3. Find the mitigation policy that you want to delete and click Delete in the Actions column. In the message that appears, click OK.
    If an object is added to the mitigation policy for protection, you cannot delete the mitigation policy. You must remove the protected object from the mitigation policy before you can delete the mitigation policy.

Port-specific Mitigation Policy

When you configure a mitigation policy for a port of a public IP address that is assigned to your EIP with Anti-DDoS (Enhanced Edition) enabled, you can check whether an existing mitigation policy meets your business requirements. If an existing mitigation policy meets your business requirements, you can add the port to the mitigation policy. If no existing mitigation policies meet your business requirements, you must create a mitigation policy and add the port to the mitigation policy.

Create a mitigation policy and add an object for protection

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
  3. Click Create Policy. In the panel that appears, specify Policy Name. In the Select Policy Type section, select Port-specific Mitigation Policy). Then, click OK.
  4. In the The policy is created. message, click OK.
  5. Configure rules for the mitigation policy and then click Next.
    Parameter Description
    Rule Name The name of the rule.
    Note You can add up to 10 rules to each mitigation policy.
    Minimum Bytes to Trigger Matching The minimum number of bytes in a session to trigger matching. Valid values: 0 to 2048.

    If you set this parameter to 20 and the number of bytes in a session is less than the 20, the rule does not take effect.

    Rule Type

    The type of session to detect.

    Valid values:
    • String Match (ASCII)
    • Hexadecimal String Match
    Match Conditions
    • Start Position: the start position of the detection. Valid values: 0 to 2047. The value 0 indicates the first byte. The value 1 indicates the second byte. All values follow the same rule.
    • Match Range in Bytes from Start Position: the number of bytes detected from the start position. Valid values: 1 to 2048. If you set this parameter to 20 and the Start Position parameter to 10, the eleventh to thirtieth bytes in a session are detected.
    • Term to Match: the content to match. The content is a string and can be up to 2,048 characters in length.
    Priority The priority of the detection. The smaller the value, the higher the priority is. Valid values: 1 to 100.
    Logical Operator The condition based on which an action is performed. Valid values:
    • Hit
    • Not Hit
    Action The method to process a session that hits the rule. The value is fixed as Discard.
  6. Add a port of a public IP address that is assigned to your EIP with Anti-DDoS (Enhanced Edition) enabled to the mitigation policy.
    In the Target assets section of the Objects to Select step, search for the required port and protocol by region, EIP name, and IP address. Then, select the port and protocol and click Add.

Add an object to a mitigation policy for protection or remove a protected object from a mitigation policy

  • Add an object
    1. On the Mitigation Setting page, select Port-specific Mitigation Policy. Find the mitigation policy to which you want to add an object for protection and then click Add Object for Protection in the Actions column.
    2. Click Add Protected Asset. In the Target assets section of Objects to Select, search for the required port and protocol by region, EIP name, and IP address. Then, select the port and protocol and click Add.
  • Remove a protected object from a mitigation policy
    1. On the Mitigation Setting page, select Port-specific Mitigation Policy. Find the mitigation policy from which you want to remove a protected object and then click Add Object for Protection in the Actions column.
    2. Find the port that you want to remove and click Delete in the Actions column. If you want to remove multiple ports, select the ports and click Batch Delete.

Modify or delete a mitigation policy

  1. On the Mitigation Setting page, select Port-specific Mitigation Policy.
  2. Find the mitigation policy that you want to modify and click Modify Protection Rule in the Actions column. After you modify the mitigation policy, click OK.
    Important After you modify a mitigation policy, the new mitigation policy takes effect on all protected objects. Proceed with caution.
  3. Find the mitigation policy that you want to delete and click Delete in the Actions column. In the message that appears, click OK.
    If an object is added to the mitigation policy for protection, you cannot delete the mitigation policy. You must remove the protected object from the mitigation policy before you can delete the mitigation policy.

Cross-border Traffic Blocking Policy - Default

If you want to block cross-border traffic that is destined for the public IP address of your asset, you can configure a cross-border traffic blocking mitigation policy. After the blocking period that you specify ends, the policy automatically stops blocking cross-border traffic. If you no longer want to block cross-border traffic, you can manually disable cross-border traffic blocking in advance.

Enable cross-border traffic blocking

  1. Log on to the Traffic Security console.
  2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.
  3. On the Mitigation Setting page, select Cross-border Traffic Blocking Policy - Default. Find the policy that you want to manage and click Modify Policy in the Actions column.
  4. In the Protection Rule section, search for one or more public IP addresses for which you want to configure a rule by region and instance name.
    • To enable cross-border traffic blocking for a single public IP address, turn on the switch in the Near-origin Blackhole Filtering column. In the dialog box that appears, specify a blocking period and click Ok.
    • To enable cross-border traffic blocking for multiple public IP addresses, select the public IP addresses and click Batch Block. In the dialog box that appears, specify a blocking period and click Ok.
    You can view the Start Time and End Time that you specify for a public IP address in the asset list. After the blocking period ends, cross-border traffic blocking is automatically disabled and the switch in the Near-origin Blackhole Filtering column is turned off.
    Note You cannot modify the blocking period after it is applied. If you want to modify the blocking period, you must disable the protection rule that is applied before you specify a new blocking period.

Manually disable cross-border traffic blocking

  1. On the Mitigation Setting page, select Cross-border Traffic Blocking Policy - Default. Find the policy that you want to manage and click Modify Policy in the Actions column.
  2. In the Protection Rule section, search for one or more public IP addresses for which you want to disable cross-border traffic blocking by region and instance name.
    • To disable cross-border traffic blocking for a single public IP address, turn off the switch in the Near-origin Blackhole Filtering column. In the message that appears, click Ok.
    • To disable cross-border traffic blocking for multiple public IP addresses, select the public IP addresses and click Batch Allow. In the message that appears, click Ok.