how to use Anti-DDoS Pro or Anti-DDoS Premium to protect non-website services - Anti-DDoS

Anti-DDoS Proxy supports the configuration of port forwarding rules, which enables the use of the exclusive IP address of your Anti-DDoS Proxy instance as the service IP address. After the configuration, your Anti-DDoS Proxy instance can defend against transport-layer attacks such as SYN Flood and UDP Flood attacks, and application-layer attacks that do not use HTTP or HTTPS protocols. This topic outlines the steps to configure Anti-DDoS Proxy for non-website services.

Prerequisites

An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

Step 1: Create one or more port forwarding rules

Before adding your services to the Anti-DDoS Proxy instance, create port forwarding rules to direct service traffic accordingly.

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Port Config.

On the Port Config page, select your instance and create a port forwarding rule.

Note

If the icon is displayed next to a protocol in the Forwarding Protocol column of a port forwarding rule, the rule is automatically generated when you added a website. This port forwarding rule is used to forward the traffic of website services. You cannot modify or delete rules that are automatically generated. If the websites that use these port forwarding rules are removed from your instance, the port forwarding rules are automatically deleted. For more information about how to configure website services, see Add one or more websites.

If you specify port 80 for the origin server when you add a domain name to your instance, Anti-DDoS Proxy automatically generates a port forwarding rule. This port forwarding rule is used to forward TCP traffic to the origin server over port 80.
If you specify port 443 for the origin server when you add a domain name to your instance, Anti-DDoS Proxy automatically generates a port forwarding rule. This port forwarding rule is used to forward TCP traffic to the origin server over port 443.

Parameter	Description
Application-layer Protection	This parameter is only available for TCP-based non-website services to protect against application layer attacks that do not use HTTP or HTTPS protocols. For more information on attack types, see Scenario-specific anti-DDoS solutions.
Forwarding Protocol	The protocol that you want to use to forward traffic. Valid values: TCP and UDP.
Redirection Port	The port that you want to use to forward traffic. Note We recommend that you specify the same value for both Redirection Port and Origin Server Port. To prevent domain owners from creating their own DNS servers, Anti-DDoS Proxy does not protect services that use port 53. For an instance, forwarding rules that use the same protocol must use different forwarding ports. If you attempt to create a rule with a protocol and forwarding port that are configured for another rule, an error message indicating that these rules overlap appears. Make sure that the rule you want to create does not conflict with the rules that are automatically generated when you add a website to your instance.
Origin Server Port	The port of the origin server.
Back-to-origin Scheduling Algorithm	The polling mode is used by default and cannot be changed.
Origin IP Address	The IP address of the origin server. Note You can specify a maximum of 20 origin IP addresses to implement load balancing. Separate multiple IP addresses with commas (,).

Step 2: Add your service to your Anti-DDoS Proxy instance

After a port forwarding rule is created, you must change the IP address of your service to the exclusive IP address of your instance to redirect service traffic to the instance. After you change the IP address, your instance scrubs inbound traffic and then forwards service traffic to the origin server.

Allow the back-to-origin IP address of your instance on the origin server. This way, the traffic from your instance is allowed by the security software on your origin server. For more information, see Allow back-to-origin IP addresses to access the origin server.
Verify that the port forwarding rules are in effect on your computer to prevent service exceptions caused by invalid forwarding rule configurations. For more information, see Verify traffic forwarding settings on a local machine.
Warning
If you switch your service traffic to your instance before the port forwarding rules take effect, your services may be interrupted.
Switch the traffic of your non-website services to your instance
In most cases, you can replace the service IP address with the exclusive IP address of your instance to switch the traffic of your non-website services to your instance. The method to replace the IP address varies based on your platform.
Note
- If your service is also accessible over a domain name that functions as the server address, you do not need to add the domain name to your instance. For example, the domain name example.com is used as the server address of a game or is hard-coded in a client program. In this case, you must change the A record at the DNS provider of the domain name to redirect the traffic to the exclusive IP address of your instance. For more information, see Change the DNS record.
- In some scenarios, you may need to use a domain name to add your Layer 4 service to multiple Anti-DDoS Proxy instances and configure an automatic mechanism to switch traffic among these instances. We recommend that you add the domain name of your service to Anti-DDoS Proxy and modify the CNAME of the domain name. For more information, see Modify CNAME records to protect transport-layer services.

Step 3: Configure port forwarding and DDoS mitigation policies

After you change the IP address of your service to the exclusive IP address of your instance, the instance uses default mitigation policies to scrub and forward traffic. You can create custom DDoS mitigation policies and enable the session persistence and health check features based on your business requirements to optimize port forwarding.

On the Port Config page, select your instance, find the port forwarding rule that you want to manage, and then configure the following parameters based on your business requirements.

Parameter	Description
Session Persistence	After you add your non-website service to Anti-DDoS Proxy, issues such as logon timeout and disconnections may occur. In this case, you can enable the session persistence feature. This feature forwards requests from the same client to the same backend server within a specified period of time. Click Configure in the Session Persistence column. In the Session Persistence dialog box, enable or disable session persistence based on your business requirements. To enable session persistence, configure the Timeout Period parameter and click Set Timeout Period and Enable. To disable session persistence, click Disable Session Persistence.
Health Check	If your service has multiple origin servers, you can use the health check feature to check the availability of each origin server. This ensures that requests from clients are not forwarded to unhealthy origin servers. Click Configure in the Health Check column. In the Health Check panel, enable or disable health check. To enable health check, turn on Enable Health Check, configure the parameters, and then click OK. For more information, see Configure health checks. To disable health check, turn off Enable Health Check and click OK.
DDoS Mitigation Policies	You can configure DDoS mitigation policies to limit the connection speeds and packet lengths of non-website services that are protected by Anti-DDoS Proxy. This protects non-website services against connection-oriented DDoS attacks that consume low bandwidth. Click DDoS Mitigation Policies in the Configure column. On the Protection for Non-website Services tab, configure DDoS mitigation policies for the current forwarding rule as needed. For more information, see Configure a DDoS mitigation policy.

Step 4: View the protection data of a port

After adding your non-website service to the Anti-DDoS Proxy instance, you can view the traffic that is redirected over the port on the Security Overview page of the Anti-DDoS Proxy console.

In the left-side navigation pane, click Security Overview.

Click the Instances tab, select your instance and specify a time range to view the protection data.

Section	Description
Bandwidth (marked 1 in the preceding figure)	Anti-DDoS Proxy (Chinese Mainland) provides the Bandwidth trend chart to show traffic information by bps or pps. You can view the trends of inbound, outbound, attack, and rate limit traffic of an instance within a specific time range. Anti-DDoS Proxy (Outside Chinese Mainland) provides the Overview tab to show bandwidth trends, the Inbound Traffic Distribution tab to show the distribution of inbound traffic, and the Outbound Traffic Distribution tab to show the distribution of outbound traffic.
Connections (marked 2 in the preceding figure)	Concurrent Connections: the total number of concurrent TCP connections that are established between clients and the instance. Active: the number of TCP connections in the Established state. Inactive: the number of TCP connections in all states except for the Established state. New Connections: the number of new TCP connections that are established between clients and the instance per second.
Network Layer Attack Events, Alert on Exceeded Upper Limits, and Destination Rate Limit Events (marked 3 in the preceding figure)	Network Layer Attack Events You can move the pointer over an IP address or a port to view the details of an attack, such as Attack Target, Attack Type, Peak Attack Traffic, and Protection Effect. Alerts on Exceeded Upper Limits The following event types of alerts are supported: clean bandwidth, new connections, and concurrent connections. If the purchased specification that corresponds to an event type is exceeded, an alert of this event type is generated. In this case, your business is not affected, and a specification upgrade is recommended. For more information, see Upgrade an instance. You can click Details in the Status column of an alert to go to the System Logs page to view the details of the alert. Note The alerts on exceeded upper limits are updated at 10:00 (UTC+8) every Monday. After the update, the alerts that were generated on the previous day are displayed. If you configure a notification method, such as internal messages, text messages, or emails, you receive a notification at 10:00 (UTC+8) every Monday. The notification includes the alerts that were generated on the previous day. Destination Rate Limit Events If the number of new connections, the number of concurrent connections, or the service bandwidth exceeds the specifications of your instance, rate limiting is triggered, and a destination rate limit event is generated. In this case, your business is affected. If rate limiting is triggered by service traffic, we recommend that you upgrade the specifications of your instance at the earliest opportunity. For more information, see Upgrade an instance. If rate limiting is triggered by DDoS attacks, we recommend that you adjust your mitigation policies at the earliest opportunity. For more information, see Configure the blacklist and whitelist (IP address-based) feature. You can click Details in the Status column of an event to go to the System Logs page to view the details of the event.
Service Distribution by Location and Service Distribution by ISP (marked 4 in the preceding figure)	Service Distribution by Location: the distribution of source locations from which service traffic is sent. Service Distribution by ISP: the distribution of Internet service providers (ISPs) from which service traffic is sent.