To use Anti-DDoS Pro or Anti-DDoS Premium to protect non-website services, such as apps, you must create port forwarding rules. You must also use the exclusive IP address of your Anti-DDoS Pro or Anti-DDoS Premium instance as the service IP address. This way, Anti-DDoS Pro or Anti-DDoS Premium can protect your non-website services. This topic describes how to add non-website services to Anti-DDoS Pro or Anti-DDoS Premium for protection.

Background information

If you configure your Anti-DDoS Pro or Anti-DDoS Premium instance to protect non-website services, your instance supports only Layer 4 forwarding. Then, the Anti-DDoS Pro or Anti-DDoS Premium instance provides protection only against Layer 4 attacks, such as SYN and UDP flood attacks. The instance no longer parses Layer 7 packets or mitigate Layer 7 attacks, such as HTTP flood attacks and web attacks. To protect non-website services, you need only to purchase an instance and create port forwarding rules. Then, you can use the exclusive IP address of your instance as the service IP address.

Procedure

Procedure

Prerequisites

An Anti-DDoS Pro or Anti-DDoS Premium instance is purchased. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

Step 1: Create one or more port forwarding rules

Before you add your services to the Anti-DDoS Pro or Anti-DDoS Premium instance, you must create port forwarding rules. Then, the instance forwards service traffic based on the port forwarding rules.

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Port Config.
  4. On the Port Config page, select your instance, create a port forwarding rule, and then click OK.
    You can create one or more port forwarding rules at a time. After port forwarding rules are created, you can export the port forwarding rules at a time. For more information, see Export multiple port configurations.
    • Create a port forwarding rule
      Click Create Rule. In the dialog box that appears, configure the parameters based on your business requirements and click OK.
      Parameter Description
      Forwarding Protocol The protocol of the traffic that you want to forward. Valid values: TCP and UDP.
      Forwarding Port The port that you want to use to forward traffic.
      Note
      • We recommend that you specify the same value for both Forwarding Port and Origin Server Port.
      • To prevent domain owners from creating their own DNS servers, Anti-DDoS Pro and Anti-DDoS Premium do not protect services that use port 53.
      • For an instance, port forwarding rules that use the same protocol must use different forwarding ports. If you attempt to create a port forwarding rule with a protocol and forwarding port that are configured for another rule, an error message indicating that these port forwarding rules conflict with each other appears. We recommend that you do not create a port forwarding rule whose protocol and forwarding port are the same as the protocol and forwarding port of an automatically generated forwarding rule.
      Origin Server Port The port of the origin server.
      Origin Server IP The IP address of the origin server.
      Note You can specify a maximum of 20 origin IP addresses to implement load balancing. Separate multiple IP addresses with commas (,).
    • Create multiple port forwarding rules at a time
      1. On the Port Config page, select your instance and choose Batch Operations > Create Rule below the rule list.
      2. In the Create Rule dialog box, enter the required information as shown in the sample file and click OK.

        Each line represents a rule. From left to right, the fields in each rule indicate the following information: protocol, forwarding port, origin server port, and origin IP address. Fields are separated by spaces.

      3. In the Create Rule dialog box, select the port forwarding rules that you want to create and click OK.
    Note If the Exclamation point icon is displayed next to a protocol in the Forwarding Protocol column of a forwarding rule, the forwarding rule was automatically generated when you added a website. This forwarding rule is used to forward the traffic of website services. You cannot modify or delete rules that are automatically generated. If the websites that use these forwarding rules are disassociated from your instance, the forwarding rules are automatically deleted. For more information about how to add a website, see Add a website.
    • If you specify port 80 for the origin server when you add a domain name to your instance, Anti-DDoS Pro or Anti-DDoS Premium automatically generates a forwarding rule. This forwarding rule is used to forward TCP traffic to the origin server over port 80.
    • If you specify port 443 for the origin server when you add a domain name to your instance, Anti-DDoS Pro or Anti-DDoS Premium automatically generates a forwarding rule. This forwarding rule is used to forward TCP traffic to the origin server over port 443.

Step 2: Add your service to your Anti-DDoS Pro or Anti-DDoS Premium instance

After a port forwarding rule is created, you must change the IP address of your service to the exclusive IP address of your instance to redirect service traffic to the instance. After you change the IP address, your instance scrubs inbound traffic and then forwards service traffic to the origin server.

  1. Allow the back-to-origin IP address of your instance on the origin server. This way, the traffic from your instance is allowed by the security software on your origin server.
    1. In the left-side navigation pane, choose Provisioning > Website Config. On the Website Config page, click Back-To-Source CIDR Block in the upper-right corner.
    2. In the Back-To-Source CIDR Block dialog box, view and copy the back-to-origin CIDR blocks that are used by Anti-DDoS Pro or Anti-DDoS Premium.
    3. Add the back-to-origin CIDR blocks to the whitelist of the security software on your origin server.
  2. Verify that the forwarding rules are in effect on your computer to prevent service exceptions caused by invalid forwarding rule configurations.
    Warning If you switch your service traffic to your instance before the port forwarding rules take effect, your services may be interrupted.

    Assume that the exclusive IP address of your instance is 99.99.XX.XX, the forwarding port is 1234, the IP address of the origin server is 11.11.XX.XX, and the port of the origin server is 1234. You can use telnet commands to access the exclusive IP address of your instance over port 1234. If the IP address is accessible, the forwarding rule takes effect. If the client allows you to enter the IP address of the origin server, you can enter the IP address of your instance for verification.

  3. Switch the traffic of your non-website service to your instance
    • If your service can be accessible over an IP address, replace the service IP address with the exclusive IP address of your instance.
      Note The method to replace the IP address varies based on your platform.
    • If your service is also accessible over a domain name, such as example.com, that functions as the server address or is added to a client program, change the A record at the DNS provider of the domain name to redirect the traffic to the exclusive IP address of your instance.

      The following example describes how to modify or add a DNS record in the Alibaba Cloud DNS console:

      1. Log on to the Alibaba Cloud DNS console.
      2. On the Domain Name Resolution page, find the domain name of your service and click DNS Settings in the Actions column.
      3. On the details of the DNS Settings page, find the DNS record that you want to modify and click Modify in the Actions column.
        Note If you cannot find the DNS record that you want to modify in the list, you can click Add DNS Record to add a record.
      4. In the Modify DNS Record or Add DNS Record panel, set Record Type to A and change the value of Record Value to the exclusive IP address of your instance.
        Note To obtain the exclusive IP address of your instance, log on to the Anti-DDoS Pro console. In the left-side navigation pane, choose Assets > Instances.
    • Click OK and wait for the settings to take effect.

Step 3: Configure port forwarding and DDoS mitigation policies

After you change the IP address of your service to the exclusive IP address of your instance, the instance uses default mitigation policies to scrub and forward traffic. You can create custom DDoS mitigation policies and enable the session persistence and health check features based on your business requirements to optimize port forwarding.
On the Port Config page, select your instance, find the port forwarding rule that you want to manage, and then configure the session persistence feature, health check feature, and DDoS mitigation policies based on your business requirements.
Parameter Description
Session Persistence After you add your non-website service to Anti-DDoS Pro or Anti-DDoS Premium, issues such as logon timeout and disconnections may occur. In this case, you can enable the session persistence feature. This feature forwards requests from the same client to the same backend server within a specified period of time.
  1. Click Change in the Session Persistence column.
  2. In the Session Persistence dialog box, enable or disable session persistence based on your business requirements.
    • To enable session persistence, configure Timeout Period and click Set Timeout Period and Enable.
    • To disable session persistence, click Disable Session Persistence.
Health Check If your service has multiple origin servers, you can use the health check feature to check the availability of each origin server This ensures that requests from clients are not forwarded to unhealthy origin servers.
  1. Click Change in the Health Check column.
  2. In the Health Check panel, turn on Enable Health Check and complete the settings. For more information, see Configure a health check.
  3. Click OK.

To disable the health check feature, click Change in the Health Check column. In the Health Check panel, turn off Enable Health Check.

Anti-DDoS Protection Policy You can configure DDoS mitigation policies to limit the connection speeds and packet lengths of non-website services that are protected by Anti-DDoS Pro or Anti-DDoS Premium. This protects non-website services against connection-oriented DDoS attacks that consume low bandwidth.
  1. Click Change in the Anti-DDoS Protection Policy column.
  2. On the Protection for Non-website Services tab, configure DDoS mitigation policies based on your business requirements. You can configure the following policies:
    • False Source: verifies and filters DDoS attacks that are initiated from forged IP addresses.
    • Speed Limit for Destination: limits the data transfer rate of the port used by the instance that exceeds the maximum visit frequency based on the IP address and port of an Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of other ports are not limited.
    • Packet Length Limit: specifies the minimum and maximum lengths of packets that are allowed to pass through. Packets with invalid lengths are discarded.
    • Speed Limit for Source: limits the data transfer rate of a source IP address from which access requests exceed the maximum visit frequency based on the IP address and port of an Anti-DDoS Pro or Anti-DDoS Premium instance. The data transfer rates of source IP addresses from which access requests do not exceed the maximum visit frequency are not limited. This policy also supports the IP address blacklist policy. An IP address from which access requests exceed the maximum visit frequency five times within 60 seconds can be added to a blacklist. You can also specify the blocking period.

    For more information, see Create an anti-DDoS protection policy.

Step 4: View the protection data of a port

After you add your non-website service to your Anti-DDoS Pro or Anti-DDoS Premium instance, you can view the traffic that is redirected over the port on the Security Overview page of the Anti-DDoS Pro or Anti-DDoS Premium console.

  1. In the left-side navigation pane, click Security Overview.
  2. Click the Instances tab, select your instance and specify a time range to view the protection data.
    Parameter Description
    Bandwidth
    • Anti-DDoS Pro provides the Bandwidth trend chart to show traffic information by bps or pps. You can view the trends of inbound, outbound, and attack traffic of an instance for a specific time range.
    • Anti-DDoS Premium provides the Overview tab to show bandwidth trends and the Inbound Distribution tab to show the distribution of inbound traffic. Anti-DDoS Premium also provides the Outbound Distribution tab to show the distribution of outbound traffic.
    Note The displayed time granularities in trend charts on the Security Overview page vary based on the specified time ranges:
    • If the time range is no greater than 1 hour, the granularity is 1 minute.
    • If the time range is greater than 1 hour and no greater than 6 hours, the granularity is 5 minutes.
    • If the time range is greater than 6 hours and no greater than 24 hours, the granularity is 10 minutes.
    • If the time range is greater than 1 day and no greater than 7 days, the granularity is 30 minutes.
    • If the time range is greater than 7 days and no greater than 15 days, the granularity is 1 hour.
    • If the time range is greater than 15 days and no greater than 30 days, the granularity is 6 hours.
    Attack Events

    You can move the pointer over an IP address or a port to view the details of an attack, such as Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect.

    Number of connections
    • Concurrent Connections: the total number of concurrent TCP connections established between clients and the instance
      • Active: the number of TCP connections in the Established state
      • Inactive: the number of TCP connections in all states except the Established state
    • New Connections: the number of new TCP connections established between clients and the instance per second
    Note If you select an instance, the Connections trend chart shows the numbers of connections on different ports. If you select more than one instance, the Connections trend chart shows the total number of connections on all ports.
    Source Locations and Source Service Providers
    • Source Locations: the distribution of source locations from which normal traffic is sent. Source locations are classified by Global and Chinese Mainland.
    • Source Service Providers: the distribution of Internet service providers (ISPs) from which normal traffic is sent.