How to use the intelligent protection feature - Anti-DDoS

This topic describes how to use the intelligent protection feature provided by Anti-DDoS Pro and Anti-DDoS Premium to protect website services. The intelligent protection feature is developed based on the big data technologies of Alibaba Cloud. The feature automatically learns traffic patterns and uses algorithms to analyze attacks. Then, the feature apply accurate access control rules to adjust protection modes and to detect and block attacks at the earliest opportunity. The attacks include malicious bots and HTTP flood attacks. This topic describes how to use intelligent protection.

Background information

After you add your website to Anti-DDoS Pro or Anti-DDoS Premium, the intelligent protection feature is enabled by default. The intelligent protection engine automatically learns traffic patterns and protects the website against web attacks by using accurate access control rules.

Prerequisites

A website is added to Anti-DDoS Pro or Anti-DDoS Premium. For more information, see Add a website.

Use the intelligent protection feature

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your asset.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the domain name that you want to manage from the list in the left side.

In the Intelligent Protection section, click Settings. In the Intelligent Protection dialog box, configure the Mode and Level parameters and close the dialog box.

Mode
1. Warning: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, Anti-DDoS Pro or Anti-DDoS Premium records the attacks but does not block the requests. You can use this mode to learn how the feature safeguards your website. You can use this mode and the log analysis feature to query warnings recorded by the feature and verify the protection capabilities of the feature. For more information, see View attack warning logs.
2. Protection: In this mode, when Anti-DDoS Pro or Anti-DDoS Premium detects malicious requests, Anti-DDoS Pro or Anti-DDoS Premium applies accurate access control rules to block the malicious requests.
  Note
  We recommend that you use the Warning mode and the log analysis feature to analyze the attack logs. For this policy to take effect, enable the Defense mode only when the feature works as expected.

Level

Level	Effect	Scenario
Loose	Blocks specific attacks and allows normal requests.	Large websites that have high processing capabilities, and specific scenarios such as sales promotions
Normal (recommended)	Does not process requests in most cases. When Anti-DDoS Pro or Anti-DDoS Premium detects traffic that poses a threat to the protected website, Anti-DDoS Pro or Anti-DDoS Premium protects the website and minimizes the negative impacts on the website.	Scenarios in which the number of requests does not greatly fluctuate and the servers have additional resources other than managing normal network traffic
Strict	Strictly and intelligently blocks attacks. However, normal requests may also be blocked.	Websites that do not have sufficient processing or protection capabilities

After the feature is enabled, Anti-DDoS Pro or Anti-DDoS Premium automatically generates accurate access control rules when Anti-DDoS Pro or Anti-DDoS Premium detects malicious attacks. You can view the rules in the Accurate Access Control section.

View accurate access control rules

Accurate access control rules created by Intelligent Protection start with smartcc_. Compared with custom accurate access control rules, the accurate access control rules created by the feature have the following characteristics:

The action of a rule may be warning. In Warning mode, the action specified in an accurate access control rule that is created by the feature is warning. In this case, Anti-DDoS Pro or Anti-DDoS Premium records attacks but does not block attacks.
Each rule has a validity period. After a rule expires, the rule becomes invalid and is automatically deleted.
Rules cannot be manually deleted. If you disable the feature, rules created by the feature are immediately deleted.

Log on to the Anti-DDoS Pro console.
In the top navigation bar, select the region of your asset.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the General Policies page, click the Protection for Website Services tab. On the tab that appears, select the domain name that you want to manage from the list in the left side.
In the Accurate Access Control section, click Settings. On the page that appears, view the rules that start with smartcc_.

View attack warning logs

After the feature is enabled for your website, the log analysis feature records detected attacks that trigger the accurate access control rules. You can query the attack warning logs that are associated with the accurate access control rules on the Log Analysis page. This allows you to check the performance levels of the feature.

Important

The log analysis feature is enabled for your website. For more information, see Use the log analysis feature.

Log on to the Anti-DDoS Pro console. Choose Investigation > Log Analysis. On the page that appears, select a domain name and enter the following query statement to view the attack warning logs related to the intelligent protection feature:

Note

Replace aliyundoc.com with the actual domain name of your website.

matched_host:"aliyundoc.com" and cc_action:alarm

Modify the policy for the intelligent protection feature

In the following business scenarios, we recommend that you modify the policy for the intelligent protection feature. This helps the feature learn traffic patterns to prevent false positives.

Scenario	Optimization method
Before you add your website to Anti-DDoS Pro or Anti-DDoS Premium, your website is configured with common throttling policies, or a large number of clients frequently reconnect to your website at the same time. Even if your website service is running normally, a large number of 4XX or 5XX HTTP status codes are returned.	On the Protection for Website Services tab, click Settings in the Intelligent Protection section. In the Intelligent Protection dialog box, set Mode to Warning. After three days, set Mode to Protection.
You want to launch a promotion event or stress test on your website, but the origin server of the website returns a large number of 4XX or 5XX HTTP status codes.	In the left-side navigation pane, choose Mitigation Settings > Scenario-specific Policies. On the Custom Policies page, click Create Scenario-specific Policy in the upper-left corner. In the Create Scenario-specific Policy dialog box, specify the Policy Name and Validity Period parameters and click OK. Find the created policy in the policy list and click Configure Objects in the Actions column. In the panel that appears, select websites or IP addresses that you want to protect.