Protect non-website services - Anti-DDoS - Alibaba Cloud Documentation Center

To use Anti-DDoS Pro or Anti-DDoS Premium to protect non-website services, such as apps, you must create port forwarding rules. You must also use the exclusive IP address of your Anti-DDoS Pro or Anti-DDoS Premium instance as the service IP address. This way, Anti-DDoS Pro or Anti-DDoS Premium can protect your non-website services. This topic describes how to add non-website services to Anti-DDoS Pro or Anti-DDoS Premium for protection.

Background information

If you configure your Anti-DDoS Pro or Anti-DDoS Premium instance to protect non-website services, your instance supports only Layer 4 forwarding. Then, the Anti-DDoS Pro or Anti-DDoS Premium instance provides protection only against Layer 4 attacks, such as SYN and UDP flood attacks. The instance no longer parses Layer 7 packets or mitigate Layer 7 attacks, such as HTTP flood attacks and web attacks. To protect non-website services, you need only to purchase an instance and create port forwarding rules. Then, you can use the exclusive IP address of your instance as the service IP address.

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Step 1: Create one or more port forwarding rules

Before you add your services to the Anti-DDoS Pro or Anti-DDoS Premium instance, you must create port forwarding rules. Then, the instance forwards service traffic based on the port forwarding rules.

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your asset.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Provisioning > Port Config.

On the Port Config page, select your instance and create a port forwarding rule.

Create a port forwarding rule

Click Create Rule. In the dialog box that appears, configure the parameters based on your business requirements and click OK.

Parameter	Description
Forwarding Protocol	The protocol that you want to use to forward traffic. Valid values: TCP and UDP.
Forwarding Port	The port that you want to use to forward traffic. Note We recommend that you specify the same value for both Forwarding Port and Origin Server Port. To prevent domain owners from creating their own DNS servers, Anti-DDoS Pro and Anti-DDoS Premium do not protect services that use port 53. For an instance, forwarding rules that use the same protocol must use different forwarding ports. If you attempt to create a rule with a protocol and forwarding port that are configured for another rule, an error message indicating that these rules overlap appears. Make sure that the rule you want to create does not conflict with the rules that are automatically generated when you add a website to your instance.
Origin Server Port	The port of the origin server.
Origin Server IP	The IP address of the origin server. Note You can specify a maximum of 20 origin IP addresses to implement load balancing. Separate multiple IP addresses with commas (,).

Create multiple port forwarding rules at a time
1. On the Port Config page, choose Batch Operations > Create Rule.
2. In the Create Rule dialog box, enter the required information as shown in the sample file and click OK.
  Each line represents a rule. From left to right, the fields in each rule indicate the following information: protocol, forwarding port, origin server port, and origin IP address. Fields are separated by spaces.
3. In the Create Rule dialog box, select the rules that you want to create and click OK.

Step 2: Add your service to your Anti-DDoS Pro or Anti-DDoS Premium instance

After a port forwarding rule is created, you must change the IP address of your service to the exclusive IP address of your instance to redirect service traffic to the instance. After you change the IP address, your instance scrubs inbound traffic and then forwards service traffic to the origin server.

Allow the back-to-origin IP address of your instance on the origin server. This way, the traffic from your instance is allowed by the security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
Verify that the port forwarding rules are in effect on your computer to prevent service exceptions caused by invalid forwarding rule configurations. For more information, see Verify traffic forwarding settings on a local machine.
Warning
If you switch your service traffic to your instance before the port forwarding rules take effect, your services may be interrupted.
Switch the traffic of your non-website services to your instance
In most cases, you can replace the service IP address with the exclusive IP address of your instance to switch the traffic of your non-website services to your instance. The method to replace the IP address varies based on your platform.
Note
- If your service is also accessible over a domain name that functions as the server address, you do not need to add the domain name to your instance. For example, the domain name example.com is used as the server address of a game or is hard-coded in a client program. In this case, you must change the A record at the DNS provider of the domain name to redirect the traffic to the exclusive IP address of your instance. For more information, see Change the DNS record.
- In some scenarios, you may need to use a domain name to add your Layer 4 service to multiple Anti-DDoS Pro or Anti-DDoS Premium instances and configure an automatic mechanism to switch traffic among these instances. We recommend that you add the domain name of your service to Anti-DDoS Pro or Anti-DDoS Premium and modify the CNAME of the domain name. For more information, see Modify CNAME records to protect transport-layer services.

Step 3: Configure port forwarding and DDoS mitigation policies

After you change the IP address of your service to the exclusive IP address of your instance, the instance uses default mitigation policies to scrub and forward traffic. You can create custom DDoS mitigation policies and enable the session persistence and health check features based on your business requirements to optimize port forwarding.

On the Port Config page, select your instance, find the port forwarding rule that you want to manage, and then configure the following parameters based on your business requirements.

Parameter	Description
Session Persistence	After you add your non-website service to Anti-DDoS Pro or Anti-DDoS Premium, issues such as logon timeout and disconnections may occur. In this case, you can enable the session persistence feature. This feature forwards requests from the same client to the same backend server within a specified period of time. Click Change in the Session Persistence column. In the Session Persistence dialog box, enable or disable session persistence based on your business requirements. To enable session persistence, configure the Timeout Period parameter and click Set Timeout Period and Enable. To disable session persistence, click Disable Session Persistence.
Health Check	If your service has multiple origin servers, you can use the health check feature to check the availability of each origin server This ensures that requests from clients are not forwarded to unhealthy origin servers. Click Change in the Health Check column. In the Health Check panel, enable or disable health check. To enable health check, turn on Enable Health Check, configure the parameters, and then click OK. For more information, see Configure a health check. To disable health check, turn off Enable Health Check and click OK.
Anti-DDoS Protection Policy	You can configure DDoS mitigation policies to limit the connection speeds and packet lengths of non-website services that are protected by Anti-DDoS Pro or Anti-DDoS Premium. This protects non-website services against connection-oriented DDoS attacks that consume low bandwidth. Click Change in the Anti-DDoS Protection Policy column. On the Protection for Non-website Services tab, configure DDoS mitigation policies based on your business requirements. You can configure the following policies: False Source: verifies and filters DDoS attacks that are initiated from forged IP addresses. Speed Limit for Destination: limits the data transfer rate of the port used by the instance that exceeds the maximum visit frequency based on the IP address and port of an Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of other ports are not limited. Packet Length Limit: specifies the minimum and maximum lengths of packets that are allowed to pass through. Packets with invalid lengths are discarded. Speed Limit for Source: limits the data transfer rate of a source IP address from which access requests exceed the maximum visit frequency based on the IP address and port of an Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of source IP addresses from which access requests do not exceed the maximum visit frequency are not limited. This policy also supports the IP address blacklist policy. An IP address from which access requests exceed the maximum visit frequency five times within 60 seconds can be added to a blacklist. You can also specify the blocking period. For more information, see Create an anti-DDoS protection policy.

Step 4: View the protection data of a port

After you add your non-website service to your Anti-DDoS Pro or Anti-DDoS Premium instance, you can view the traffic that is redirected over the port on the Security Overview page of the Anti-DDoS Pro or Anti-DDoS Premium console.

In the left-side navigation pane, click Security Overview.

Click the Instances tab, select your instance and specify a time range to view the protection data.

Section	Description
Bandwidth (marked 1 in the preceding figure)	Anti-DDoS Pro provides the Bandwidth trend chart to show traffic information by bps or pps. You can view the trends of inbound, outbound, and attack traffic of an instance within a specific time range. Anti-DDoS Premium provides the Overview tab to show bandwidth trends, the Inbound Distribution tab to show the distribution of inbound traffic, and the Outbound Distribution tab to show the distribution of outbound traffic.
Connections (marked 2 in the preceding figure)	Concurrent Connections: the total number of concurrent TCP connections that are established between clients and the instance. Active: the number of TCP connections in the Established state. Inactive: the number of TCP connections in all states except the Established state. New Connections: the number of new TCP connections that are established between clients and the instance per second.
Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events (marked 3 in the preceding figure)	Attack Events You can move the pointer over an IP address or a port to view the details of an attack, such as Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect. Alerts on Exceeded Upper Limits The following event types of alerts are supported: clean bandwidth, new connections, and concurrent connections. If the purchased specification that corresponds to an event type is exceeded, an alert of this event type is generated. In this case, your business is not affected, and a specification upgrade is recommended. For more information, see Upgrade an instance. You can click Details in the Status column of an alert to go to the System Logs page to view the details of the alert. Note The alerts on exceeded upper limits are updated at 10:00 (UTC+8) every Monday. After the update, the alerts that were generated on the previous day are displayed. If you configure a notification method, such as internal messages, text messages, or emails, you receive a notification at 10:00 (UTC+8) every Monday. The notification includes the alerts that were generated on the previous day. Destination Rate Limit Events If the number of new connections, the number of concurrent connections, or the service bandwidth exceeds the specifications of your instance, rate limiting is triggered, and a destination rate limit event is generated. In this case, your business is affected. If rate limiting is triggered by service traffic, we recommend that you upgrade the specifications of your instance at the earliest opportunity. For more information, see Upgrade an instance. If rate limiting is triggered by DDoS attacks, we recommend that you adjust your mitigation policies at the earliest opportunity. For more information, see Configure the IP address blacklist and whitelist for an Anti-DDoS Pro or Anti-DDoS Premium instance. You can click Details in the Status column of an event to go to the System Logs page to view the details of the event.
Source Locations and Source Service Providers (marked 4 in the preceding figure)	Source Locations: the distribution of source locations from which service traffic is sent. Source Service Providers: the distribution of Internet service providers (ISPs) from which service traffic is sent.