To protect assets of regular Alibaba Cloud services or elastic IP addresses (EIPs) with Anti-DDoS (Enhanced) enabled, you can configure IP-specific mitigation policies to filter out or allow traffic based on the policies and improve the mitigation effect on volumetric DDoS attacks at the network and transport layers. This topic describes how to configure IP-specific mitigation policies.
Usage notes
Assets of regular Alibaba Cloud services support only IP-specific mitigation policies. EIPs with Anti-DDoS (Enhanced) enabled support both IP-specific and port-specific mitigation policies. If you configure both IP-specific and port-specific mitigation policies, IP-specific mitigation policies have a higher priority.
You can associate only one IP-specific mitigation policy with an asset that is assigned a public IP address. In the following sections, an asset that is assigned a public IP address is referred as an asset for short.
Prerequisites
The asset of a regular Alibaba Cloud service is added to Anti-DDoS Origin 1.0, Anti-DDoS Origin 2.0 (Subscription), or Anti-DDoS Origin 2.0 (Pay-as-you-go) for protection. For more information, see Add an object for protection.
The EIP with Anti-DDoS (Enhanced) enabled is automatically added for protection after you purchase the EIP. You do not need to manually add the EIP.
Procedure
Log on to the Traffic Security console.
In the left-side navigation pane, choose .
Click Create Policy. In the Create Policy panel, configure Policy Name and select IP-specific Mitigation Policy in the Select Policy Type section. Then, click OK.
In the The policy is created. message, click OK. Then, configure rules and click Next.
ImportantSpecific rules take effect only when DDoS attacks occur. The following rules are listed in descending order of priority:
For assets of regular Alibaba Cloud services: the Blacklist rule, the ICMP Blocking rule, the Whitelist rule, the Location Blacklist rule, the Port Blocking rule, and the Byte-Match Filter rule.
For EIPs with Anti-DDoS (Enhanced) enabled: the Blacklist rule, the ICMP Blocking rule, the Whitelist rule, the Port Blocking rule, the Byte-Match Filter rule, the Reflection Attack Filtering rule, and the Source Rate Limiting rule.
Rule validity period: The rules do not expire except for the Blacklist rule. You must configure a validity period for the Blacklist rule.
Rule
Rule description
Regular Alibaba Cloud service
EIP with Anti-DDoS (Enhanced) enabled
Description
Intelligent Protection
The intelligent engine based on big data analytics automatically learns the traffic patterns of your service, and mitigates DDoS attacks at the network and transport layers.
×
√
ImportantAfter you create a mitigation policy, the Intelligent Protection rule is automatically enabled and set to the Normal level. In this case, the intelligent engine based on big data analytics requires approximately three days to provide optimal protection after the engine learns the patterns of your service traffic.
Based on data of historical service traffic, expert experience, and algorithms, the Intelligent Protection rule provides the following levels of protection:
Loose: The Intelligent Protection rule at the Loose level protects your assets against malicious IP addresses that have attack characteristics. The Loose level may allow attacks but has a low false positive rate.
Normal: The Intelligent Protection rule at the Normal level protects your assets against malicious and suspicious IP addresses that have attack characteristics. The Normal level helps achieve balance between protection effects and low false positive rates.
Strict: The Intelligent Protection rule at the Strict level provides strong protection against attacks. The Strict level causes false positives in some cases.
ICMP Blocking
This rule denies Internet Control Message Protocol (ICMP) requests during traffic scrubbing to protect servers from malicious scans and help mitigate ICMP flood attacks.
√
Takes effect only during attacks
√
Takes effect only during attacks
This rule takes effect on the IP addresses in the whitelist. ICMP requests that are sent from the IP addresses are also denied.
ImportantIf you enable the ICMP Blocking rule, the traffic for ping commands is also blocked. Before you perform network diagnosis and maintenance by using ping commands, disable the ICMP Blocking rule.
Blacklist and Whitelist
The Blacklist rule denies requests from specific source IP addresses. The Whitelist rule allows requests from specific source IP addresses.
√
Takes effect only during attacks
√
Takes effect all the time
When you add an IP address to the blacklist, you must configure a validity period that ranges from 1 minute to 10,080 minutes for the blacklist. The validity period takes effect on all IP addresses in the blacklist.
You can add up to 2,000 IP addresses to the blacklist and up to 2,000 IP addresses to the whitelist.
Location Blacklist
This rule can block access requests by geographic location. After the Location Blacklist rule is enabled, the traffic that is initiated from the blocked locations to the destination IP address is blocked.
√
Takes effect only during attacks
√
Takes effect all the time
You can block access requests by area or country.
Port Blocking
This rule denies UDP or TCP requests that are sent over the source or destination ports to mitigate UDP reflection attacks.
√
Takes effect only during attacks
√
Takes effect only during attacks
You can create up to eight port blocking rules.
ImportantWe recommend that you configure a port blocking rule based on the following suggestions:
If your asset does not provide UDP services, we recommend that you block all source UDP ports. If your asset provides UDP services later, adjust the mitigation policy at the earliest opportunity.
If your asset provides UDP services, we recommend that you block the common source ports that are exploited by UDP reflection attacks. The ports include ports 1 to 52, 54 to 161, 389, 1900, and 11211.
Source Rate Limiting
This rule allows you to specify thresholds to limit the rates at which source IP addresses access a protected IP address.
×
√
Takes effect all the time
You can configure Source PPS, Source Bandwidth, PPS of Source SYN Packets, and Bandwidth of Source SYN Packets. After you specify a threshold for each type of access rate, you can also select the "If a source IP address triggers rate limiting five times within 60 seconds, the IP address is added to the blacklist" option for each type of access rate. After you select the option, all access traffic from the source IP address is discarded.
Reflection Attack Filtering
This rule monitors and protects only UDP traffic. Anti-DDoS blocks UDP traffic from the source ports that you specify to help block common UDP reflection attacks.
×
√
Takes effect all the time
The Reflection Attack Filtering rule supports the following types of policies:
One-click Filtering Policy: lists common UDP reflection attacks. If your service does not use UDP, we recommend that you block all source UDP ports.
Custom Filtering Policy: You can specify up to 20 custom ports. The ports cannot be the same as the ports in the One-click Filtering Policy section.
Byte-Match Filter
This rule matches bytes for the content of specific packets to deny, allow, or limit the rates of requests. In most cases, attack packets that are forged by attack tools have the same feature fields. For example, the attack packets contain the same string or content.
√
Takes effect only during attacks
√
Takes effect only during attacks
The following section describes the configuration parameters:
Protocol: the type of the protocol. Valid values: TCP and UDP.
Source Port Range: the range of source ports. Valid values: 0 to 65535.
Destination Port Range: the range of destination ports. Valid values: 0 to 65535.
Packet Length Range: the range of packet lengths. Valid values: 1 to 1500. Unit: bytes.
Offset: the offset of bytes in UDP or TCP packets. Valid values: 0 to 1500. Unit: bytes.
If you set this parameter to 0, the system starts matching from the first byte.
Payload: the matching payload of UDP or TCP packets. You must enter a hexadecimal string. The value must be 1 byte to 15 bytes in length.
Action: the action on the requests that match the specified conditions. Valid values: Pass, Discard, Limit Bandwidth of Source IP Address, and Limit Bandwidth of Session.
If you select Limit Bandwidth of Source IP Address or Limit Bandwidth of Session, you must specify the Bandwidth parameter. Valid values of the Bandwidth parameter: 1 to 100000. Unit: packets per second (pps).
Add Back-to-origin CIDR Blocks of Anti-DDoS Pro and Anti-DDoS Premium to Whitelist
This rule adds the back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instance to the whitelist of EIP with Anti-DDoS (Enhanced) enabled.
×
√
To protect an EIP with Anti-DDoS (Enhanced) enabled, traffic that is destined for the EIP is forwarded to the Anti-DDoS scrubbing centers and then forwarded to your origin server. To prevent service traffic from being blocked, we strongly recommend that you enable this rule.
In the Protected Assets section of the Objects to Select section, search for the asset on which you want the configured rules to take effect by region and instance name and click Add.
What to do next
To modify an IP-specific mitigation policy, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to modify and click Modify Protection Rule in the Actions column.
ImportantAfter you modify a mitigation policy, the modifies policy takes effect on all protected objects. Proceed with caution.
To delete an IP-specific mitigation policy, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to delete and click Delete in the Actions column.
ImportantIf the mitigation policy that you want to delete is attached to an object, you cannot delete the mitigation policy. You must detach the mitigation policy from the protected object before you can delete the mitigation policy.
To attach a mitigation policy to an object for protection or detach a mitigation policy from a protected object, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to manage and click Add Object for Protection in the Actions column.
Examples
To protect assets of regular Alibaba Cloud services, you can configure IP-specific mitigation policies based on your business requirements to mitigate volumetric DDoS attacks at the network and transport layers.
Parameter | Description |
ICMP Blocking | If your service does not involve ICMP, we recommend that you enable the ICMP Blocking rule. |
Blacklist and Whitelist | After your service is attacked, you can add the top malicious IP addresses that are displayed on the Attack Analysis page to the blacklist. You can add up to 2,000 IP addresses to the blacklist. For more information, see View information on the Attack Analysis page. |
Location Blacklist | You can block requests from IP addresses in all regions in which your service is unavailable. For example, if your service is unavailable in regions outside the Chinese mainland, you can block all requests that are initiated outside the Chinese mainland. |
Port Blocking | If your service does not use UDP, we recommend that you block all UDP ports. |
Byte-Match Filter | You can analyze attack traffic and configure the Byte-Match Filter rule based on the traffic characteristics. |