To use Anti-DDoS Pro or Anti-DDoS Premium to protect non-website services, such as
apps, you must create port forwarding rules. You must also use the exclusive IP address
of your Anti-DDoS Pro or Anti-DDoS Premium instance as the service IP address. This
way, Anti-DDoS Pro or Anti-DDoS Premium can protect your non-website services. This
topic describes how to add non-website services to Anti-DDoS Pro or Anti-DDoS Premium
for protection.
Background information
If you configure your Anti-DDoS Pro or Anti-DDoS Premium instance to protect non-website
services, your instance supports only Layer 4 forwarding. Then, the Anti-DDoS Pro
or Anti-DDoS Premium instance provides protection only against Layer 4 attacks, such
as SYN and UDP flood attacks. The instance no longer parses Layer 7 packets or mitigate
Layer 7 attacks, such as HTTP flood attacks and web attacks. To protect non-website
services, you need only to purchase an instance and create port forwarding rules.
Then, you can use the exclusive IP address of your instance as the service IP address.
Procedure
Step 1: Create one or more port forwarding rules
Before you add your services to the Anti-DDoS Pro or Anti-DDoS Premium instance, you
must create port forwarding rules. Then, the instance forwards service traffic based
on the port forwarding rules.
- Log on to the Anti-DDoS Pro console.
- In the top navigation bar, select the region where your instance resides.
- Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium
instances. Make sure that you select the required region when you use Anti-DDoS Pro
or Anti-DDoS Premium.
- In the left-side navigation pane, choose .
- On the Port Config page, select your instance, create a port forwarding rule, and then click OK.
You can create one or more port forwarding rules at a time. After port forwarding
rules are created, you can export the port forwarding rules at a time. For more information,
see
Export multiple port configurations.
- Create a port forwarding rule
Click
Create Rule. In the dialog box that appears, configure the parameters based on your business
requirements and click
OK.
Parameter |
Description |
Forwarding Protocol |
The protocol of the traffic that you want to forward. Valid values: TCP and UDP.
|
Forwarding Port |
The port that you want to use to forward traffic.
Note
- We recommend that you specify the same value for both Forwarding Port and Origin Server Port.
- To prevent domain owners from creating their own DNS servers, Anti-DDoS Pro and Anti-DDoS
Premium do not protect services that use port 53.
- For an instance, port forwarding rules that use the same protocol must use different
forwarding ports. If you attempt to create a port forwarding rule with a protocol
and forwarding port that are configured for another rule, an error message indicating
that these port forwarding rules conflict with each other appears. We recommend that
you do not create a port forwarding rule whose protocol and forwarding port are the
same as the protocol and forwarding port of an automatically generated forwarding
rule.
|
Origin Server Port |
The port of the origin server. |
Origin Server IP |
The IP address of the origin server.
Note You can specify a maximum of 20 origin IP addresses to implement load balancing. Separate
multiple IP addresses with commas (,).
|
- Create multiple port forwarding rules at a time
- On the Port Config page, select your instance and choose below the rule list.
- In the Create Rule dialog box, enter the required information as shown in the sample file and click
OK.
Each line represents a rule. From left to right, the fields in each rule indicate
the following information: protocol, forwarding port, origin server port, and origin
IP address. Fields are separated by spaces.
- In the Create Rule dialog box, select the port forwarding rules that you want to create and click OK.
Note If the

icon is displayed next to a protocol in the
Forwarding Protocol column of a forwarding rule, the forwarding rule was automatically generated when
you added a website. This forwarding rule is used to forward the traffic of website
services. You cannot modify or delete rules that are automatically generated. If the
websites that use these forwarding rules are disassociated from your instance, the
forwarding rules are automatically deleted. For more information about how to add
a website, see
Add a website.
- If you specify port 80 for the origin server when you add a domain name to your instance,
Anti-DDoS Pro or Anti-DDoS Premium automatically generates a forwarding rule. This
forwarding rule is used to forward TCP traffic to the origin server over port 80.
- If you specify port 443 for the origin server when you add a domain name to your instance,
Anti-DDoS Pro or Anti-DDoS Premium automatically generates a forwarding rule. This
forwarding rule is used to forward TCP traffic to the origin server over port 443.
Step 2: Add your service to your Anti-DDoS Pro or Anti-DDoS Premium instance
After a port forwarding rule is created, you must change the IP address of your service
to the exclusive IP address of your instance to redirect service traffic to the instance.
After you change the IP address, your instance scrubs inbound traffic and then forwards
service traffic to the origin server.
- Allow the back-to-origin IP address of your instance on the origin server. This way,
the traffic from your instance is allowed by the security software on your origin
server.
- In the left-side navigation pane, choose . On the Website Config page, click Back-To-Source CIDR Block in the upper-right corner.
- In the Back-To-Source CIDR Block dialog box, view and copy the back-to-origin CIDR blocks that are used by Anti-DDoS
Pro or Anti-DDoS Premium.
- Add the back-to-origin CIDR blocks to the whitelist of the security software on your
origin server.
- Verify that the forwarding rules are in effect on your computer to prevent service
exceptions caused by invalid forwarding rule configurations.
Warning If you switch your service traffic to your instance before the port forwarding rules
take effect, your services may be interrupted.
Assume that the exclusive IP address of your instance is 99.99.XX.XX, the forwarding
port is 1234, the IP address of the origin server is 11.11.XX.XX, and the port of
the origin server is 1234. You can use telnet commands to access the exclusive IP
address of your instance over port 1234. If the IP address is accessible, the forwarding
rule takes effect. If the client allows you to enter the IP address of the origin
server, you can enter the IP address of your instance for verification.
- Switch the traffic of your non-website service to your instance
Step 3: Configure port forwarding and DDoS mitigation policies
After you change the IP address of your service to the exclusive IP address of your
instance, the instance uses default mitigation policies to scrub and forward traffic.
You can create custom DDoS mitigation policies and enable the session persistence
and health check features based on your business requirements to optimize port forwarding.
On the
Port Config page, select your instance, find the port forwarding rule that you want to manage,
and then configure the session persistence feature, health check feature, and DDoS
mitigation policies based on your business requirements.
Parameter |
Description |
Session Persistence |
After you add your non-website service to Anti-DDoS Pro or Anti-DDoS Premium, issues
such as logon timeout and disconnections may occur. In this case, you can enable the
session persistence feature. This feature forwards requests from the same client to
the same backend server within a specified period of time.
- Click Change in the Session Persistence column.
- In the Session Persistence dialog box, enable or disable session persistence based on your business requirements.
- To enable session persistence, configure Timeout Period and click Set Timeout Period and Enable.
- To disable session persistence, click Disable Session Persistence.
|
Health Check |
If your service has multiple origin servers, you can use the health check feature
to check the availability of each origin server This ensures that requests from clients
are not forwarded to unhealthy origin servers.
- Click Change in the Health Check column.
- In the Health Check panel, turn on Enable Health Check and complete the settings. For more information, see Configure a health check.
- Click OK.
To disable the health check feature, click Change in the Health Check column. In the Health Check panel, turn off Enable Health Check.
|
Anti-DDoS Protection Policy |
You can configure DDoS mitigation policies to limit the connection speeds and packet
lengths of non-website services that are protected by Anti-DDoS Pro or Anti-DDoS Premium.
This protects non-website services against connection-oriented DDoS attacks that consume
low bandwidth.
- Click Change in the Anti-DDoS Protection Policy column.
- On the Protection for Non-website Services tab, configure DDoS mitigation policies based on your business requirements. You
can configure the following policies:
- False Source: verifies and filters DDoS attacks that are initiated from forged IP addresses.
- Speed Limit for Destination: limits the data transfer rate of the port used by the instance that exceeds the
maximum visit frequency based on the IP address and port of an Anti-DDoS Pro or Anti-DDoS
Premium instance. The data transfer rates of other ports are not limited.
- Packet Length Limit: specifies the minimum and maximum lengths of packets that are allowed to pass through.
Packets with invalid lengths are discarded.
- Speed Limit for Source: limits the data transfer rate of a source IP address from which access requests
exceed the maximum visit frequency based on the IP address and port of an Anti-DDoS
Pro or Anti-DDoS Premium instance. The data transfer rates of source IP addresses
from which access requests do not exceed the maximum visit frequency are not limited.
This policy also supports the IP address blacklist policy. An IP address from which
access requests exceed the maximum visit frequency five times within 60 seconds can
be added to a blacklist. You can also specify the blocking period.
For more information, see Create an anti-DDoS protection policy.
|
Step 4: View the protection data of a port
After you add your non-website service to your Anti-DDoS Pro or Anti-DDoS Premium
instance, you can view the traffic that is redirected over the port on the Security
Overview page of the Anti-DDoS Pro or Anti-DDoS Premium console.
- In the left-side navigation pane, click Security Overview.
- Click the Instances tab, select your instance and specify a time range to view the protection data.
Parameter |
Description |
Bandwidth |
- Anti-DDoS Pro provides the Bandwidth trend chart to show traffic information by bps or pps. You can view the trends of inbound, outbound, and attack traffic of an instance
for a specific time range.
- Anti-DDoS Premium provides the Overview tab to show bandwidth trends and the Inbound Distribution tab to show the distribution of inbound traffic. Anti-DDoS Premium also provides
the Outbound Distribution tab to show the distribution of outbound traffic.
Note The displayed time granularities in trend charts on the Security Overview page vary based on the specified time ranges:
- If the time range is no greater than 1 hour, the granularity is 1 minute.
- If the time range is greater than 1 hour and no greater than 6 hours, the granularity
is 5 minutes.
- If the time range is greater than 6 hours and no greater than 24 hours, the granularity
is 10 minutes.
- If the time range is greater than 1 day and no greater than 7 days, the granularity
is 30 minutes.
- If the time range is greater than 7 days and no greater than 15 days, the granularity
is 1 hour.
- If the time range is greater than 15 days and no greater than 30 days, the granularity
is 6 hours.
|
Attack Events |
You can move the pointer over an IP address or a port to view the details of an attack,
such as Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect.
|
Number of connections |
- Concurrent Connections: the total number of concurrent TCP connections established between clients and the
instance
- Active: the number of TCP connections in the Established state
- Inactive: the number of TCP connections in all states except the Established state
- New Connections: the number of new TCP connections established between clients and the instance per
second
Note If you select an instance, the Connections trend chart shows the numbers of connections
on different ports. If you select more than one instance, the Connections trend chart
shows the total number of connections on all ports.
|
Source Locations and Source Service Providers |
- Source Locations: the distribution of source locations from which normal traffic is sent. Source locations
are classified by Global and Chinese Mainland.
- Source Service Providers: the distribution of Internet service providers (ISPs) from which normal traffic
is sent.
|