This topic describes how to use the intelligent protection feature provided by Anti-DDoS Pro and Anti-DDoS Premium to protect website services. The intelligent protection feature is developed based on the big data technologies of Alibaba Cloud. The feature automatically learns traffic patterns and uses algorithms to analyze attacks. Then, the feature apply accurate access control rules to adjust protection modes and to detect and block attacks at the earliest opportunity. The attacks include malicious bots and HTTP flood attacks.

Prerequisites

  • A website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.
  • Mitigation settings are enabled in the latest version of Anti-DDoS Pro or Anti-DDoS Premium.

Background information

After you add your website to Anti-DDoS Pro or Anti-DDoS Premium, the intelligent protection feature is enabled by default. The intelligent protection engine automatically learns traffic patterns and protects the website against web attacks by using accurate access control rules.

Configure a policy for the intelligent protection feature

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select a specific domain name from the list in the left side.
  5. In the Intelligent Protection section, click Modify. Intelligent Protection
  6. In the Intelligent Protection dialog box, configure Mode and Level, and turn on Status.
    • Mode: Set this parameter to Warning or Defense.
      This feature supports the following protection modes:
      • Warning: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, Anti-DDoS Pro or Anti-DDoS Premium records the attacks but does not block the requests. You can use this mode to learn how the feature safeguards your website.

        You can use this mode and the Log Analysis feature to query warnings recorded by the feature and verify the protection capabilities of the feature. For more information, see View attack warning logs.

      • Defense: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, Anti-DDoS Pro or Anti-DDoS Premium applies accurate access control rules to block the malicious requests.
        Note The feature uses accurate access control rules to trigger actions. To make sure that the feature works as expected, you must enable Accurate Access Control. For more information, see Configure accurate access control rules.

        We recommend that you use the Warning mode and the Log Analysis feature to analyze the attack logs. For this policy to take effect, enable the Defense mode only when the feature works as expected.

    • Level: Set this parameter to Low, Normal, or Strict.Intelligent Protection
      If you enable the feature, you can select a value for Level based on your business requirements. The following table describes the protection levels provided by the feature.
      Level Effect Scenario
      Low Blocks specific attacks and allows normal requests. Large websites that have high processing capabilities, and specific scenarios such as sales promotions
      Normal (recommended) Does not process requests in most cases. When Anti-DDoS Pro or Anti-DDoS Premium detects traffic that poses a threat to the protected website, Anti-DDoS Pro or Anti-DDoS Premium protects the website and minimizes the negative impacts on the website. Scenarios in which the number of requests does not greatly fluctuate and the servers have additional resources other than managing normal network traffic
      Strict Strictly and intelligently blocks attacks. However, normal requests may also be blocked. Websites that do not have sufficient processing or protection capabilities
    After the feature is enabled, Anti-DDoS Pro or Anti-DDoS Premium automatically generates accurate access control rules when Anti-DDoS Pro or Anti-DDoS Premium detects malicious attacks. You can view the rules in the Accurate Access Control section.

View accurate access control rules

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.
  4. On the General Policies page, click the Protection for Website Services tab. Select the required domain name from the list on the left side.
  5. In the Accurate Access Control section, click Change Settings.Accurate Access Control
  6. On the Accurate Access Control page, view the rules that start with smartcc_.
    Accurate access control rules created by Intelligent Protection start with smartcc_. Compared with custom accurate access control rules, the accurate access control rules created by the feature have the following characteristics:
    • The action of a rule may be warning. In Warning mode, the action specified in an accurate access control rule that is created by the feature is warning. In this case, Anti-DDoS Pro or Anti-DDoS Premium records attacks but does not block attacks.
    • Each rule has a validity period. After a rule expires, the rule becomes invalid and is automatically deleted.
    • Rules cannot be manually deleted. If you disable the feature, rules created by the feature are immediately deleted.

View attack warning logs

After the feature is enabled for your website, the Log Analysis feature records detected attacks that trigger the accurate access control rules. You can query the attack warning logs that are associated with the accurate access control rules on the Log Analysis page. This allows you to check the performance levels of the feature.

Prerequisites
  • The Log Analysis feature is enabled for your website. For more information, see Overview.
  • The intelligent protection feature is enabled for your website and is set to the Warning mode.

Queries

Log on to the Anti-DDoS Pro or Anti-DDoS Premium console and choose Investigation > Log Analysis. On the page that appears, select a domain name and enter the following query statement to view the attack warning logs related to the intelligent protection feature:
Note Replace aliyundoc.com with the actual domain name of your website. 
matched_host:"aliyundoc.com" and cc_action:alarm

Modify the policy for the intelligent protection feature

In the following business scenarios, we recommend that you modify the policy for the intelligent protection feature. This helps the feature learn traffic patterns to prevent false positives.

Scenario Optimization method
Before you add your website to Anti-DDoS Pro or Anti-DDoS Premium, your website is configured with common throttling policies, or a large number of clients frequently reconnect to your website at the same time. Even if your website service is running normally, a large number of 4xx or 5xx HTTP status codes are returned.
  1. On the Protection for Website Services tab, click Modify in the Intelligent Protection section.
  2. In the Intelligent Protection dialog box, set Mode to Warning.
  3. After three days, set Mode to Defense.
You want to launch a promotion event or stress test on your website, but the origin server of the website returns a large number of 4xx or 5xx HTTP status codes.
  1. In the left-side navigation pane, choose Mitigation Settings > Custom Policies. On the page that appears, click Create Policy in the upper-left corner.
  2. In the Create Policy dialog box, configure Policy Name and Validity Period and click Confirm.
  3. Find the created policy in the policy list and click Configure Policy in the Actions column.
  4. In the panel that appears, select websites or IP addresses that you want to protect.