This topic describes how to configure and use the Speed Limit for Source policy. This policy allows you to set the maximum visit frequency and traffic volume from specific source IP addresses. If this policy is enabled, Anti-DDoS Pro or Anti-DDoS Premium adds IP addresses that exceed the maximum visit frequency or traffic volume to the blacklist or limits the data transfer rates from the IP addresses. After a source IP address is added to a blacklist, all requests from this IP address are dropped.

Prerequisites

A port forwarding rule for a non-website service is configured on the Port Config page. For more information, see Manage forwarding rules.

Background information

Both Anti-DDoS Pro and Anti-DDoS Premium allow you to set the maximum visit frequency from a source IP address to the port of your instance by limiting the numbers of new connections and concurrent connections. You can also limit the traffic volume to the port by limiting the bandwidth (bit/s) and packets per second (pps) of the source IP address. If an IP address exceeds the maximum visit frequency or traffic volume, Anti-DDoS Pro or Anti-DDoS Premium adds it to the blacklist or limits the data transfer rates. This policy can be used to block Layer 4 HTTP flood attacks that create a large number of connections. It can directly block the source IP addresses of attacks.

For example, assume that a source IP address accesses port 8000 of your instance, and the number of new connections is more than 10 times the normal level. You can set Source New Connection Rate Limit and enable the blacklist policy for port 8000. If the number of new connections from a source IP address repeatedly exceeds the limit, the IP address is added to the blacklist, and requests from this IP address are dropped.

Note The Speed Limit for Source policy takes effect on Anti-DDoS Pro or Anti-DDoS Premium ports. You must enable this policy for different Anti-DDoS Premium or Anti-DDoS Pro ports separately.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Port Config.
  4. On the Port Config page, select the target instance.
  5. Find the target forwarding rule and click Change in the Anti-DDoS Protection Policy column.Create an anti-DDoS protection policy
  6. In the Speed Limit for Source section, click Change Settings.Speed Limit for Source
  7. In the Configure Speed Limit for Source pane, specify the required parameters.
    In this example, after the settings take effect, the number of concurrent connections from a source IP address cannot exceed 50,000 per second. It this threshold is reached, the data transfer rate of the IP address is limited. If you select the When the number of concurrent connections from a source client exceeds the threshold five times within one minute, the IP address of the source client is added to the blacklist. check box, your instance collects the number of times when the number of concurrent connections from a source IP address exceeds the threshold. If the number of times exceeds five, this IP address is added to the blacklist, and all requests from this IP address are dropped. Example

    Source New Connection Rate Limit, PPS Limit for Source, and Bandwidth Limit for Source function the same way as Source Concurrent Connection Rate Limit. For more information, see Create an anti-DDoS protection policy.

  8. Click OK to apply the settings.