All Products
Search

This Product

    Anti-DDoS:Configure blacklists and whitelists for domain names

    Document Center

    Anti-DDoS:Configure blacklists and whitelists for domain names

    Last Updated:Dec 17, 2024

    Anti-DDoS Proxy offers a feature for blacklisting or whitelisting domain names, allowing or blocking access requests from specific IP addresses without applying any protection policies. This topic outlines the steps to configure this feature.

    Introduction

    When you add a website service to an Anti-DDoS Proxy instance, you can blacklist malicious IP addresses with high access volumes to block their requests. Conversely, you can whitelist trusted IP addresses, such as those from internal office networks, business interface calls, or other verified IPs, to permit their requests and bypass blocking. If an IP address is on both the blacklist and the whitelist, the whitelist takes precedence.

    Anti-DDoS Proxy supports two types of blacklists and whitelists: IP-address-based and domain-name-based.

    • IP-address-based blacklist or whitelist: This feature is applicable to all services added to an instance and can be enabled for port services. For more information, see Configure blacklists and whitelists for IP addresses.

    • Domain-name-based blacklist or whitelist: This feature is specific to designated domain names.

    Validity period

    The policy is permanently effective.

    Limits

    • You can configure up to 500 IP addresses or CIDR blocks in a blacklist or whitelist for a domain name.

    • Once enabled, the settings are applied to each instance associated with the domain names and immediately affect the traffic of the domain names.

      Note

      Occasionally, the blacklist and whitelist policies for domain names take effect only after your instance receives and processes specific inbound traffic. If the settings do not take effect after the policy is enabled, you can access the domain names several times to initiate the settings.

    • Configuration restrictions for blacklist and whitelist:

      • IPv4-only instances support IPv4 addresses or CIDR blocks, while IPv6-only instances support IPv6 addresses or CIDR blocks.

      • IPv4 CIDR blocks range from /8 to /32, and IPv6 CIDR blocks range from /32 to /128.

      • IPv4 addresses cannot be set to 0.0.0.0 or 255.255.255.255, and IPv6 addresses cannot be set to :: or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

    Prerequisites

    A website service is added to Anti-DDoS Proxy. For more information, see Add websites.

    Procedure

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.

      • Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.

    3. In the left-side navigation pane, choose Mitigation Settings > General Policies.

    4. Navigate to the General Policies page, select the Protection for Website Services tab, and choose the domain name you want to configure from the list on the left.

    5. In the Blacklist and Whitelist section, click Settings in the bottom right corner.

    6. In the Configure Blacklist and Whitelist dialog box, enter the IP addresses or CIDR blocks for the blacklist and whitelist, and click OK.

      Use commas to separate multiple entries. IP address or subnet mask format is supported.

    7. Back in the Blacklist and Whitelist section, activate the settings by toggling the Status switch.

    Reference

    To identify source IP addresses of anomalies, visit the Attack Analysis page and consider adding them to the blacklist. For more details, see View information on the Attack Analysis page.