Anti-DDoS:Configure a DDoS mitigation policy

Log on to the Anti-DDoS Proxy console.

In the top navigation bar, select the region of your instance.

• Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

• Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

In the left-side navigation pane, choose Mitigation Settings > General Policies.

On the General Policies page, click the Protection for Non-website Services tab, and select the Anti-DDoS Proxy instance you want to manage at the top of the page.

Click the forwarding rule you want to configure from the list on the left to set the protection policy.

• False Source: This feature applies only to TCP port forwarding rules.

  Parameter	Description
  False Source	Activate this option to block requests from forged IP addresses. When False Source is disabled, Empty Connection and Advanced Attack Mitigation are also disabled.
  Empty Connection	Enable this option to block requests that attempt to establish null sessions. False Source must be enabled before you can turn on Empty Connection.

• Advanced Attack Mitigation: This feature is applicable only to TCP port forwarding rules. The default protection mode is Normal. False Source must be enabled before you can turn on Advanced Attack Mitigation.

  Protection mode	Effect	Scenario
  Loose	This mode blocks requests that have obvious attack characteristics. A small number of attacks may be allowed, but the false positive rate is low.	This mode is suitable for services that involve large-scale one-way data transmission, such as live streaming, streaming media, and data downloads, or services that require high bandwidth on origin servers.
  Normal (recommended)	In most cases, this mode does not affect your workloads and balances protection effects and low false positive rates. We recommend that you use this mode.	This mode is suitable for most scenarios.
  Strict	This mode helps enforce strict attack verification. In some cases, this mode causes false positives.	This mode is suitable for scenarios in which the origin server has limited bandwidth or the protection effect is weak.

• Packet Feature Filtering: Configure precise access control rules based on the packet payloads. If a single rule contains multiple matching conditions, all conditions must be satisfied to trigger the corresponding action.

  Parameter	Description
  Priority	Assign a value between 1 to 100, with a lower value indicating higher priority.
  Rule Name	Name your monitoring rule for easy identification.
  Match Conditions	Match Conditions: Define the format of the packet payload. Select either String or Hexadecimal. Match Range: Specify the start and end positions for payload matching. The valid range for both positions is from 0 to 1499 bytes. The start position must not exceed the end position. Logical Operator: Select either Include or Not Include. Field Value: If Match Conditions is set to String, the matching content length must not exceed 1500 bytes and should be within the range specified by the start and end positions. If Match Conditions is set to Hexadecimal, the content must consist of hexadecimal characters, not exceed 3000 characters, be an even number, and fit within the specified range.
  Action	Monitor: Permits the request if it matches the monitor rule. Block: Rejects the request if it matches the block rule.

• Rate Limit for Source

  Parameter	Description
  New Connections Limit for Source	This parameter specifies the maximum number of new connections per second that can be initiated from a single IP address. Valid values: 1 to 50000. New connections initiated from the IP address after the upper limit is reached are dropped. Automatic: Anti-DDoS Proxy dynamically calculates the maximum number of new connections per second that can be initiated from a single source IP address. Manual: You must manually specify the maximum number of new connections per second that can be initiated from a single source IP address. Note The limit on new connections may be slightly different from actual scenarios because scrubbing nodes are deployed in clusters. Blacklist settings: If you select the If the number of new connections from a source exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
  Concurrent Connections Limit for Source	This parameter specifies the maximum number of concurrent connections that can be initiated from a single IP address. Valid values: 1 to 50000. Concurrent connections to the port after the upper limit is reached are dropped. Blacklist settings: If you select the If the number of concurrent connections from a source exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
  PPS Limit for Source	This parameter specifies the maximum number of packets per second that can be allowed from a single IP address. Valid values: 1 to 100000. Packets initiated from the IP address after the upper limit is reached are dropped. Blacklist settings: If you select the If the source PPS exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
  Bandwidth Limit for Source	This parameter specifies the maximum bandwidth of a single IP address. Valid values: 1024 to 268435456. Unit: bytes/s. Blacklist settings: If you select the If the bandwidth of connections from a source exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.

• Speed Limit for Destination: Default settings differ for TCP and UDP port forwarding rules.

  • TCP port forwarding rules:

    Parameter	Description
    New Connections Limit for Destination	This parameter specifies the maximum number of new connections per second that can be established over an Anti-DDoS Proxy port, with valid values from 100 to 100,000. Excess connections will be dropped. By default, the feature is enabled and the limit is set to 100,000. This feature cannot be disabled. Any attempts to disable it will reset the value to the default of 100,000. Note The actual limit on new connections may vary slightly because the scrubbing nodes are deployed in clusters.
    Concurrent Connections Limit For Destination	This parameter defines the maximum number of concurrent connections that can be established on an Anti-DDoS Proxy port, with valid values from 1,000 to 2,000,000. Excess connections will be dropped. By default, this feature is enabled and the limit is set to 2,000,000. This feature cannot be disabled. Any attempts to disable it will reset the value to the default of 2,000,000.

  • UDP port forwarding rules:

    Parameter	Description
    New Connections Limit for Destination	This parameter specifies the maximum number of new connections per second that can be established over an Anti-DDoS Proxy port. By default, this feature is disabled, with valid values from 100 to 50,000. Note The actual limit on new connections may vary slightly due to the clustered deployment of scrubbing nodes.
    Concurrent Connections Limit For Destination	This parameter specifies the maximum number of concurrent connections that can be established over an Anti-DDoS Proxy port, with valid values from 1,000 to 200,000. By default, this feature is enabled and set to 200,000. This feature cannot be disabled. Any attempts to disable it will reset the value to the default of 200,000.

• Packet Length Limit: In the Packet Length Limit section, click Settings. Specify the minimum and maximum lengths of the payload contained in a packet and click OK. Valid values: 0 to 1,500 bytes.

Log on to the Anti-DDoS Proxy console.

In the top navigation bar, select the region of your instance.

• Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

• Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

In the left-side navigation pane, choose Provisioning > Port Config.

On the Port Config page, select the instance that you want to manage and choose Batch Operations > Create Mitigation Policy below the rule list.

In the Create Mitigation Policy dialog box, follow the required formats to enter the content of a DDoS mitigation policy and click OK.