The location blacklist feature allows you to block IP addresses by geographic location with a few clicks. Traffic that is destined for Anti-DDoS Proxy are blocked at traffic scrubbing centers. This way, malicious requests are blocked. This topic describes how to configure the location blacklist feature.
Overview
Anti-DDoS Proxy supports the location blacklist feature and the location blacklist (domain names) feature.
The location blacklist feature: The feature takes effect on all services that are added to an Anti-DDoS Proxy instance.
The location blacklist (domain names) feature: The feature takes effect only on domain names. For more information, see Configure the location blacklist (domain names) feature.
In most cases, you can configure the location blacklist feature for a port service, and configure the location blacklist (domain names) feature for a website service. If you configure the two features at the same time, the location blacklist feature takes effect at a higher priority.
For example, if you configure the location blacklist feature for an Anti-DDoS Proxy instance to block requests from regions outside China, users outside China cannot access domain names that are associated with the instance even if the location blacklist (domain names) feature is configured to allow access from the regions.
Scenarios
If all service requests are initiated from regions in China, you can configure the location blacklist feature to block requests from regions outside China.
Validity period
After you configure the location blacklist feature, the configurations are permanently valid.
Location blacklist and near-origin traffic diversion
The location blacklist feature blocks requests from specific locations at traffic scrubbing centers. This feature discards blocked requests near the destination servers. The location blacklist feature can identify and filter requests based on the location of the source IP addresses. This feature cannot reduce the volume of attack traffic. Therefore, the feature is suitable for mitigating connection flood attacks.
The near-origin traffic diversion feature discards requests from specific regions based on the attack source by using core routers on the network provided by an Internet Service Provider (ISP). For more information, see Configure the near-origin traffic diversion feature.
The near-origin traffic diversion feature is available only for Anti-DDoS Proxy (Chinese Mainland).
Limits
The near-origin traffic diversion feature is available only for an Anti-DDoS Proxy instance that uses the Enhanced function plan. If your Anti-DDoS Proxy instance uses the Standard function plan, upgrade the instance.
You cannot configure the feature for multiple Anti-DDoS Proxy instances at a time. You must configure the feature for each Anti-DDoS Proxy instance.
Prerequisites
An Anti-DDoS Proxy instance that uses the Enhanced function plan is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
Procedure
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.
In the left-side navigation pane, choose
.On the Protection for Infrastructure tab, select the instance that you want to manage from the list on the left side.
NoteYou can search for an instance by instance ID or description.
In the Location Blacklist section, click Settings.
In the Configure Location Blacklist panel, select the regions that you want to block and click OK.
Return to the Location Blacklist section and turn on Status for the configurations to take effect.