All Products
Search

This Product

    Anti-DDoS:Add an object for protection

    Document Center

    Anti-DDoS:Add an object for protection

    Last Updated:Nov 03, 2023

    After you purchase an Anti-DDoS Origin instance of a paid edition, you must add your asset that is assigned a public IP address to the instance for protection. Then, the instance protects your asset. In the following sections, an asset that is assigned a public IP address is referred to as an asset. This topic describes how to add an object to an Anti-DDoS Origin instance of a paid edition for protection.

    Overview

    If you purchase an Anti-DDoS Origin 1.0 Enterprise instance, Anti-DDoS Origin 2.0 Enterprise instance, or Anti-DDoS Origin 2.0 instance of Inclusive Edition for Small and Medium Enterprises, you must add your asset to the instance for protection. If you purchase an elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled, you do not need to add the EIP with Anti-DDoS (Enhanced) enabled to an instance for protection. However, you must attach a port-specific mitigation policy to a port of the EIP with Anti-DDoS (Enhanced) enabled. You can view the purchased EIP with Anti-DDoS (Enhanced) enabled on the Protected Objects page.

    Add an object for protection

    You can add an object for protection on the Protected Objects page or the Instances page. This topic describes how to add an object for protection on the Protected Objects page. For more information about the operations on the Instances page, see Manage instances.

    Important

    If your Alibaba Cloud account has the multi-account management feature enabled and is the management account and you purchase an Anti-DDoS Origin 2.0 Enterprise instance, you can add assets of members for protection. For more information, see Use the multi-account management feature.

    Prerequisites

    Procedure

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.

      • For an Anti-DDoS Origin 1.0 instance or EIP with Anti-DDoS (Enhanced) enabled, select the region in which the instance or EIP resides.

      • For an Anti-DDoS Origin 2.0 instance, select All Regions.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance that you purchased and click Add Object for Protection.

      Note

      If you use an Anti-DDoS Origin paid edition for the first time, you must follow the instructions that are provided on the page to complete the authorization for the assets within your Alibaba Cloud account.

    5. In the Add Object for Protection dialog box, click the Add Asset or Add Manually tab and add an asset for protection. Then, click Confirm.

      Note

      After an asset is added, the Mitigation Policy column displays Default, which indicates that the default mitigation capability of Anti-DDoS Origin paid editions is provided for the asset. If you want to allow or deny service traffic that has specific characteristics, you can create a custom mitigation policy and attach the policy to the asset.

      • Add Asset: Select an asset that belongs to the current Alibaba Cloud account.

      • Add Manually: Enter the public IP address of the asset that belongs to the current Alibaba Cloud account.

      • Add Assets of Members: Select an asset that belongs to a member. This tab is displayed only when the current Alibaba Cloud account has the multi-account management feature enabled and is the management account.

    6. (Optional) Replace the default mitigation policy with a custom mitigation policy.

      1. Click Default in the Mitigation Policy column to go to the Mitigation Settings page.

      2. Attach a custom mitigation policy to the object.

        Scenario

        Description

        A custom mitigation policy is created.

        1. On the Mitigation Settings page, select IP-specific Mitigation Policy (Attack-triggered).

        2. Find the custom mitigation policy that you want to manage and click Add Object for Protection in the Actions column.

        3. In the View Applicable Object panel, click Add Object for Protection to attach the custom mitigation policy to the object.

        No custom mitigation policies are created or the existing custom mitigation policy does not meet your business requirements.

        1. On the Mitigation Settings page, click Create Policy.

        2. In the panel that appears, specify Policy Name and select IP-specific Mitigation Policy (Attack-triggered) in the Select Policy Type section. Then, click OK.

        3. In the The policy is created. message, click OK.

        4. In the Configure Protection Rules step, configure the parameters and click Next.

          For more information about the parameters, see Use the mitigation settings feature (public preview).

        5. In the Select Applicable Objects step, select the object and click Add.

    Related operations

    Remove a protected object

    1. On the Protected Objects page, select the instance that you want to manage.

    2. In the asset list, find the asset that you want to manage and click Delete in the Actions column.

    3. In the Delete Protected Object message, view the prompt and click OK.

    Detach the custom mitigation policy from a protected object

    You can detach only the custom mitigation policy from a protected object. You cannot detach the default mitigation policy from a protected object.

    1. On the Protected Objects page, select the instance that you want to manage.

    2. In the asset list, find the asset that you want to manage and click Default in the Mitigation Policy column.

    3. On the Mitigation Settings page, find the mitigation policy that you want to manage and click Add Object for Protection in the Actions column.

    4. In the panel that appears, find the asset that you want to manage and click Delete in the Actions column.

    Change the custom mitigation policy for a protected object

    1. On the Mitigation Settings page, select IP-specific Mitigation Policy (Attack-triggered). Find the custom mitigation policy that you want to detach from the protected object and click Add Object for Protection in the Actions column.

    2. Find the custom mitigation policy that you want to attach to the protected object and click Add Object for Protection in the Actions column.

    Attach a port-specific mitigation policy to a port

    If you purchase an EIP with Anti-DDoS (Enhanced) enabled, the EIP with Anti-DDoS (Enhanced) enabled is automatically added for protection. However, you must attach a port-specific mitigation policy to a port of the EIP with Anti-DDoS (Enhanced) enabled. To view an EIP with Anti-DDoS (Enhanced) enabled, you can go to the Protected Objects page and select the EIP with Anti-DDoS (Enhanced) enabled whose name is in the Default-eip-****** format.

    Warning

    When you attach a port-specific mitigation policy to a port, a transient connection that lasts a few seconds occurs on your TCP-based services. We recommend that you attach a port-specific mitigation policy to a port during off-peak hours.

    Prerequisites

    An EIP with Anti-DDoS (Enhanced) enabled is purchased. For more information, see Best practices of EIP with Anti-DDoS (Enhanced) enabled.

    Procedure

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the EIP with Anti-DDoS (Enhanced) enabled belongs and the region in which the EIP resides.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. Select the EIP with Anti-DDoS (Enhanced) enabled whose name is in the Default-eip-****** format.

    5. (Optional) Replace the default mitigation policy of the EIP with Anti-DDoS (Enhanced) enabled with a custom mitigation policy.

      1. Click Default in the Mitigation Policy column to go to the Mitigation Settings page.

      2. Attach a custom mitigation policy to the EIP with Anti-DDoS (Enhanced) enabled.

        Scenario

        Description

        A custom mitigation policy is created.

        1. On the Mitigation Settings page, select IP-specific Mitigation Policy (Parallel).

        2. Find the custom mitigation policy that you want to manage and click Add Object for Protection in the Actions column.

        3. In the View Applicable Object panel, click Add Object for Protection to configure the custom mitigation policy for the EIP with Anti-DDoS (Enhanced) enabled.

        No custom mitigation policies are created or the existing custom mitigation policy does not meet your business requirements

        1. On the Mitigation Settings page, click Create Policy.

        2. In the panel that appears, specify Policy Name and select IP-specific Mitigation Policy (Parallel) in the Select Policy Type section. Then, click OK.

        3. In the The policy is created. message, click OK.

        4. In the Configure Protection Rules step, configure the parameters and click Next.

          For more information about the parameters, see Use the mitigation settings feature (public preview).

        5. In the Select Applicable Objects step, select the object and click Add.

    6. Attach a port-specific mitigation policy to a port of the EIP with Anti-DDoS (Enhanced) enabled.

      1. Find the EIP with Anti-DDoS (Enhanced) enabled that you want to manage and click Add Port in the Actions column. In the dialog box that appears, specify Port Number and click Confirm.

      2. Click the image.png icon to the left of the EIP with Anti-DDoS (Enhanced) enabled, find the port that you want to manage, and then attach a port-specific mitigation policy to the port.

        • To attach the default port-specific mitigation policy to the port, click Enable Protection in the Actions column.

        • To attach a custom port-specific mitigation policy to the port, click Associate Existing Policy in the Actions column. Then, click Enable Protection in the Actions column.

        After you attach a port-specific mitigation policy to the port, you can choose More > Unbind Policy in the Actions column to detach the port-specific mitigation policy from the port. You can also choose More > Remove Port in the Actions column to delete the port-specific mitigation policy.

    Related operations

    Change the custom mitigation policy for the EIP with Anti-DDoS (Enhanced) enabled

    1. On the Mitigation Settings page, select IP-specific Mitigation Policy (Parallel). Find the custom mitigation policy that you want to detach from the EIP with Anti-DDoS (Enhanced) enabled and click Add Object for Protection in the Actions column.

    2. Find the custom mitigation policy that you want to attach to the EIP with Anti-DDoS (Enhanced) enabled and click Add Object for Protection in the Actions column.

    View the details of a protected object

    1. Log on to the Traffic Security console.

    2. In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.

      • For an Anti-DDoS Origin 1.0 instance or EIP with Anti-DDoS (Enhanced) enabled, select the region in which the instance or EIP resides.

      • For an Anti-DDoS Origin 2.0 instance, select All Regions.

    3. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Protected Objects.

    4. On the Protected Objects page, select the instance that you want to manage. Then, you can view the mitigation settings of the assets that are protected by the instance.

      • The following table describes the details of an asset that is protected by an Anti-DDoS Origin 1.0 Enterprise instance, Anti-DDoS Origin 2.0 Enterprise instance, or Anti-DDoS Origin 2.0 instance of Inclusive Edition for Small and Medium Enterprises.

        Column

        Description

        IP

        The asset that is protected by the instance.

        Owner Account of Asset

        The Alibaba Cloud account to which the asset belongs. This column is displayed only when the current Alibaba Cloud account has the multi-account management feature enabled and is the management account, and you purchase an Anti-DDoS Origin 2.0 Enterprise instance.

        Traffic Scrubbing Threshold

        The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and pps. For more information, see Configure a traffic scrubbing threshold.

        Asset Type

        The type of the asset.

        Status

        The security status of the EIP with Anti-DDoS (Enhanced) enabled.

        • Normal.

        • Blackhole Filtering Triggered. You can manually deactivate blackhole filtering. To deactivate blackhole filtering, click Deactivate Blackhole Filtering in the Actions column. In the Deactivate Blackhole Filtering message, view the remaining number of times that you can deactivate blackhole filtering and click OK. You can also view the blackhole filtering events. For more information, see View information about blackhole filtering events.

        Mitigation Policy

        The mitigation policy that is attached to the asset.

        If Default is displayed in this column, no mitigation policies are attached to the asset. The default mitigation capability of the Anti-DDoS Origin paid editions is provided for the asset. If a custom mitigation policy is used, you can click the policy to go to the Mitigation Settings page to view the details of the policy.

        Actions

        • Delete: Remove the asset.

        • Deactivate Blackhole Filtering: Deactivate blackhole filtering. This operation is supported only when the asset is in the Blackhole Filtering Triggered state.

        • View Applied Policy: View the details of the mitigation policy that is attached to the asset.

      • The following table describes the details of an EIP with Anti-DDoS (Enhanced) enabled.

        Column

        Description

        IP

        The EIP with Anti-DDoS (Enhanced) enabled.

        Traffic Scrubbing Threshold

        The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and pps. For more information, see Configure a traffic scrubbing threshold.

        Asset Type

        The value is fixed as EIP with Anti-DDoS (Enhanced) Enabled.

        Ports

        The number of ports for which port-specific mitigation policies are configured. You can click the 展开箭头 icon to the left of the EIP with Anti-DDoS (Enhanced) enabled to view the ports to which port-specific mitigation policies are attached.

        Status

        The security status of the EIP with Anti-DDoS (Enhanced) enabled.

        • Normal.

        • Blackhole Filtering Triggered. You can manually deactivate blackhole filtering. To deactivate blackhole filtering, click Deactivate Blackhole Filtering in the Actions column. In the Deactivate Blackhole Filtering message, view the remaining number of times that you can deactivate blackhole filtering and click OK. You can also view the blackhole filtering events. For more information, see View information about blackhole filtering events.

        Mitigation Policy

        The mitigation policy that is attached to the EIP with Anti-DDoS (Enhanced) enabled.

        If Default is displayed in this column, no mitigation policies are attached to the EIP with Anti-DDoS (Enhanced Edition) enabled. The default mitigation capability of the Anti-DDoS Origin paid editions is provided for the asset. If a custom mitigation policy is used, you can click the policy to go to the Mitigation Settings page to view the details of the policy.

        Actions

        • Add Port: Add a port.

        • Deactivate Blackhole Filtering: Deactivate blackhole filtering. This operation is supported only when the EIP with Anti-DDoS (Enhanced) enabled is in the Blackhole Filtering Triggered state.

        • View Applied Policy: View the details of the mitigation policy that is attached to the EIP with Anti-DDoS (Enhanced) enabled.

    FAQ

    References