After you add your asset that is assigned a public IP address to an Anti-DDoS Origin instance for protection, the instance uses the default mitigation policy to protect the asset. You can create custom mitigation policies based on your business requirements to allow or deny traffic that has specific characteristics. After your asset encounters DDoS attacks, you can view the characteristics of the attack traffic in mitigation logs or on the Attack Analysis page. Then, you can modify the custom mitigation policies. This improves the DDoS mitigation effect. An asset that is assigned a public IP is referred to as an asset for short in the following sections. This topic describes the details of custom mitigation policies of Anti-DDoS Origin.
Mitigation policy types
Anti-DDoS Origin provides IP-specific mitigation policies and port-specific mitigation policies. If you configure both IP-specific mitigation policies and port-specific mitigation policies, IP-specific mitigation policies have a higher priority.
Policy type | Applicable asset | Description |
IP-specific mitigation policy |
| You can configure IP-specific mitigation policies to mitigate volumetric DDoS attacks at the network and transport layers. If traffic matches a rule in a policy, the system processes the traffic based on the action specified in the rule. |
Port-specific mitigation policy | EIPs with Anti-DDoS (Enhanced) enabled | You can configure port-specific mitigation policies to allow or discard traffic that has specific characteristics to mitigate TCP flood attacks (application-layer flood attacks on non-website services) that are launched against your non-website service and monitor and filter application-layer traffic in a fine-grained manner. |
Supported regions for mitigation policies
You can configure mitigation policies free of charge. However, only some regions are supported, and limited functionalities are provided, as described in the following table. If the mitigation policies cannot meet your business requirements, contact us. For more information, see Contact us.
In the following table, a tick (√) indicates that the mitigation policies are supported, and a cross (×) indicates that the mitigation policies are not supported.
Asset type | Region | IP-specific mitigation policy | Port-specific mitigation policy |
Asset of a regular Alibaba Cloud service | Chinese mainland | √ | × |
Regions outside the Chinese mainland | Supported regions: China (Hong Kong), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), Japan (Tokyo), Singapore, Indonesia (Jakarta), and Malaysia (Kuala Lumpur) | × | |
EIP with Anti-DDoS (Enhanced) enabled | Chinese mainland | √ | Supported only in the China (Hangzhou) region |
Regions outside the Chinese mainland | Supported regions: China (Hong Kong), US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London), Japan (Tokyo), Singapore, Indonesia (Jakarta), and Malaysia (Kuala Lumpur) | × | |
Asset that is added to an anti-DDoS diversion instance | Regions outside the Chinese mainland | × | × |
References
For more information about how to view mitigation logs and information on the Attack Analysis page, see Query mitigation logs and View information on the Attack Analysis page.
For more information about DDoS attack types and suitable anti-DDoS solutions, see Scenario-specific anti-DDoS solutions.