Configure frequency control - Anti-DDoS - Alibaba Cloud Documentation Center

Both Anti-DDoS Pro and Anti-DDoS Premium allow you to configure the frequency control policy for protected website services. You can use this policy to control the frequency of requests sent to your website from specific IP addresses. This helps mitigate HTTP flood attacks. The frequency control policy supports multiple modes for different scenarios. You can also create custom frequency control rules to prevent a specific IP address from frequently visiting a page in a short period of time.

Protection modes

The frequency control policy supports multiple modes and allows you to change the mode in real time based on the traffic status of the website. In addition to the protection modes, The frequency control policy also allows you to create custom rules to block attacks in a more precise manner. You can create a custom rule to protect a specific URL. After a custom rule is created, the specified IP address cannot frequently access the URL in a short period of time.


Protection mode	Description
Normal (default mode)	We recommend that you use this mode when the traffic pattern on your website is normal. In this mode, the frequency control policy protects websites against common HTTP flood attacks but does not block normal requests.
Attack Emergency	You can enable this mode when you detect HTTP response errors, traffic anomalies, CPU utilization spikes, or memory usage spikes. The Emergency mode provides relatively rigorous protection compared to the Normal mode. In this mode, the frequency control policy protects websites against more complicated HTTP flood attacks but may block a few normal requests.
Strict	This mode provides rigorous protection. This mode uses Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) to verify the identities of all visitors. Only verified visitors are allowed to access the website. Note The CAPTCHA verification mechanism of this mode allows the requests that are initiated by real users from browsers. However, if the protected website provides API or native app services, requests to the website cannot pass the verification and will fail to access the services provided by the website.
Super Strict	This mode provides the most rigorous protection. This mode uses CAPTCHA to verify the identities of all visitors. Only verified visitors are allowed to access the website. Compared to the Strict mode, this mode combines CAPTCHA verification with anti-debugging and anti-machine verification technologies to enhance the protection of your website. Note The CAPTCHA verification mechanism of this mode allows the requests that are initiated by real users from browsers. Exceptions may occur in some browsers and cause the website to be inaccessible. In this case, you can restart the browser and revisit the website. However, if the protected website provides API or native app services, requests to the website cannot pass the verification and will fail to access the services provided by the website.

The protection intensities provided by different protection modes are listed in descending order: Super Strict > Strict > Attack Emergency > Normal. The probabilities of false positives when you use these protection modes are listed in descending order: Super Strict > Strict > Emergency > Normal.

Configuration description

In normal situations, we recommend that you use the Normal mode for your protected website. In this mode, the frequency control policy blocks only IP addresses that frequently send requests to your website. We recommend that you use the Emergency or Strict mode when your website is overwhelmed by HTTP flood attacks and the Normal mode fails to protect your website.

If the strict or super strict protection level is selected to protect API services and native app services, false positives may occur. The availability of your service may be disrupted. You must create custom rules to protect specific URLs from HTTP flood attacks.

Prerequisites

The domain name of your website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
Mitigation settings are enabled in the latest version of Anti-DDoS Pro or Anti-DDoS Premium.

Configure a frequency control mode

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the General Policies page, click the Protection for Website Services tab. In the left-side list of domain names, select a domain name.
Go back to the Frequency Control section and turn on Status to apply the rule.
Warning The default value of Preset Mode is Normal. If you change the value of Preset Mode, normal service requests may be blocked. If you want to change the value, contact technical support by using Intelligent Customer Service before you change the value.

Create a custom frequency control rule

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the General Policies page, click the Protection for Website Services tab. In the left-side list of domain names, select a domain name.
In the Frequency Control section, turn on Custom Rule and then click Change Settings.

Create a frequency control rule for a domain name. HTTP flood protection rule

Create a rule

Click Create Rule.
Note A maximum of 20 rules can be created. If the number of rules reaches the upper limit, the Create Rule button is dimmed.

In the Create Rule dialog box, configure the required parameters and click OK.


Configuration	Description
Name	The name of this rule.
URI	The URI path to be protected. For example, /register. The path can contain parameters connected by “?”. For example, you can use /user? action=login.
Matching rule	Exact Match: The request URI must be exactly the same as the configured URI here to get counted. URI Path Match: When the request URI starts with the URI value configured here, the request is counted. For example, /register.html is counted if you use /register as the URI.
Interval	The cycle for calculating the number of visits. It works in sync with Visits from one single IP address.
Visits from a single IP address	The number of visits allowed from a single source IP address to the URL during the Interval.
Blocking type	The action to be performed after the condition is met. The operations can be Block or Human-Machine Identification. Block: blocks accesses from the client after the condition is met. Man-Machine Identification: accesses the client with redirection after the condition is met. Only the verified requests are forwarded to the origin.

You can create multiple rules as required.

Modify a rule
1. In the rule list, find the rule that you want to modify and click Edit in the Actions column.
2. In the Edit Rule dialog box, modify the rule settings and click OK. Configure the parameters in the same way you create a rule. However, you cannot change Name and URI.
Delete a rule
1. In the rule list, find the rule that you want to delete and click Delete in the Actions column.
2. In the message that appears, click OK.

Go back to the Frequency Control section and turn on Status to apply the rule.