All Products
Search

This Product

    Anti-DDoS:Configure the global mitigation policy feature

    Document Center

    Anti-DDoS:Configure the global mitigation policy feature

    Last Updated:Jan 08, 2025

    The global mitigation policy feature contains general mitigation rules that are accumulated based on the attack and defense experience of Anti-DDoS Proxy. After you enable the global mitigation policy feature, the feature can help reduce the risks that are caused by attacks on your websites. This topic describes how to configure the global mitigation policy feature.

    Introduction to the global mitigation policy feature

    Modes

    The global mitigation policy feature supports the following modes: Loose, Normal, and Strict. The following table describes the modes. After you configure a forwarding rule for a domain name, Anti-DDoS Proxy automatically enables the global mitigation policy feature and uses the Normal mode for the domain name. You can change the mode based on your business requirements.

    Mode

    Mitigation effect

    Scenario

    Loose

    Blocks specific known attacks and allows normal requests.

    • This mode is suitable for large websites that have strong processing capabilities.

    • If you do not have high requirements for traffic scrubbing, we recommend that you use the Loose mode. For example, you can use the Loose mode during large-scale promotional events.

    Normal (recommended)

    Blocks attacks that are disclosed on the Internet but are not recorded in the historical traffic of your website. This mode has low impacts on your website.

    This mode is suitable for scenarios in which the number of requests does not greatly fluctuate and the business attributes and user sources are stable.

    Strict

    Strictly blocks attacks. Normal requests may also be blocked.

    Important

    To prevent adverse impacts of the mode change on your website, we recommend that you contact Alibaba Cloud technical support before you use the Strict mode.

    • This mode is suitable for websites that do not have sufficient processing capabilities.

    • If you require stronger traffic scrubbing capabilities to improve mitigation performance, we recommend that you use this mode.

    Mitigation rules

    Anti-DDoS Proxy provides a number of mitigation rules and categorizes the rules into different types. The following table describes the types. In addition, each mode of the global mitigation policy feature supports a specific number of rules. If attack analysis reports or logs reveal that a rule causes a false positive and adversely affects your workloads, you do not need to change the existing mode. You need to only disable the rule or change the action of the rule.

    Type

    Description

    Invalid Request

    The HTTP header of the request is invalid due to encoding errors.

    Simulated Browser Request

    The request is a simulated HTTP request designed to mimic a browser-initiated request. In most cases, such a request triggers a JavaScript challenge.

    Simulated Crawler Request

    The request is a simulated HTTP request designed to mimic a crawler-initiated request.

    Attack Tool Request

    The HTTP request is initiated by a common attack tool.

    High-frequency Attack Request

    The HTTP requests are initiated by attackers at a high frequency.

    Attack Request

    The request features the attack characteristics that are accumulated from the attack and defense experience of Alibaba Cloud.

    Mode-specific mitigation rules

    In the following table, a tick (√) indicates that a mode supports a rule, and a cross (×) indicates that a mode does not support a rule.

    The actions of mitigation rules are different. You can change the actions based on your business requirements.

    • Monitor: records information about the request in logs and allows the request.

    • JavaScript Challenge: performs Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) verification to verify the source IP address of the request.

    • Block: blocks the request.

    Rule type

    Rule ID

    Description

    Default action

    Loose

    Normal

    Strict

    Invalid Request

    global_01

    The HTTP request header Accept is invalid.#1

    Block

    Invalid Request

    global_02

    The HTTP request header Accept-Language is invalid.#1

    Block

    Invalid Request

    global_0_1

    The HTTP request header Accept-Encoding is invalid.#1

    Block

    ×

    Invalid Request

    global_15

    The HTTP request header Accept is invalid.#2

    Block

    Invalid Request

    global_ge_05f8a760096d29cee462a63ab418e5c3_B_t

    The HTTP request header Accept is invalid.#3

    Block

    Invalid Request

    global_ge_0_B_t

    The HTTP request header Accept-Encoding is invalid.#2

    Block

    ×

    Invalid Request

    global_ge_0d4dbd8080c85462ea5395d1d8251da8_B_t

    The HTTP request header Referer is invalid.#1

    Block

    ×

    Invalid Request

    global_ge_0e2130d0b87abe84bd74735ec4586ab1_B_t

    The HTTP request header Accept is invalid.#4

    Block

    Invalid Request

    global_ge_1_B_t

    The HTTP request header Accept-Language is invalid.#2

    Block

    ×

    Invalid Request

    global_ge_2cfc5256bf5be8892b9356d8db40d0e3_B_t

    The HTTP request header Cache-Control is invalid.#1

    Block

    Invalid Request

    global_ge_aba03cde2fc06dd322ad0a1a46bc47d8_B_t

    The HTTP request header Connection is invalid.#1

    Block

    Invalid Request

    global_online_03

    The HTTP request header Referer is invalid.#2

    Block

    Invalid Request

    global_spv_3adcd517f14ef4295dbcb65f2b544621_B_t

    The HTTP request header Accept-Language is invalid.#3

    Block

    ×

    Invalid Request

    global_spv_a69fdbd25ac2da2984809fdc051e9d4e_B_t

    The HTTP request header User-Agent is invalid.#1

    Block

    ×

    ×

    Simulated Browser Request

    global_03

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#1

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_2_3

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#2

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_2_4

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#3

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_r_1_C

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#4

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_r_2_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#5

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_00922977ecc39f015bdd94e54e3f08c8_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#6

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_10_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#7

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_1db36a86783775fb36ff65e9a9471293_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#8

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_4_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#9

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_5_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#10

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_6_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#11

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_7_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#12

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_8_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#13

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_9_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#14

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_a256dec6c80b7c953a9d5cf21b193e93_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires strong verification based on a combination of request headers.#1

    JavaScript Challenge

    ×

    ×

    Simulated Browser Request

    global_th_e353aae960559269a5146aca41060c60_C_t

    The request may be a simulated HTTP request designed to mimic a browser-initiated request, which requires verification based on a combination of request headers.#15

    JavaScript Challenge

    ×

    ×

    Simulated Crawler Request

    global_d_6587d6a0e3adb13d4949cdb59a3167c3_B_t

    The request is a simulated HTTP request designed to mimic a Google Chrome crawler-initiated request.#1

    Block

    ×

    ×

    Simulated Crawler Request

    global_d_97a08ec7a4a0d131194c4fd40802dd98_B_t

    The request is a simulated HTTP request designed to mimic a Baidu crawler-initiated request.#1

    Block

    ×

    ×

    Simulated Crawler Request

    global_d_d51505ef3de38efe92bff2163a3b4d38_B_t

    The request is a simulated HTTP request designed to mimic a Google Chrome crawler-initiated request.#2

    Block

    ×

    ×

    Attack Tool Request

    global_d_0ac87637e9fccf60e9afbe18ad6af1d9_C_t

    The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#1

    JavaScript Challenge

    ×

    ×

    Attack Tool Request

    global_d_0d0fc1037e2239562d31473e11d40909_B_t

    The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#1

    Block

    ×

    Attack Tool Request

    global_d_436c6492dbef6f8d43eec0c3caa86652_C_t

    The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#2

    JavaScript Challenge

    ×

    Attack Tool Request

    global_d_52d72f8b80d5877e10763d451cc05479_C_t

    The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#3

    JavaScript Challenge

    ×

    Attack Tool Request

    global_d_5e65a8ca4a9ea2339f24d93c7b2fa819_C_t

    The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#4

    JavaScript Challenge

    ×

    Attack Tool Request

    global_d_5fdc132caf63121890cb733ad4c2463e_B_t

    The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#2

    Block

    ×

    Attack Tool Request

    global_d_658fef4f5d139461f7135b89f5d9dd6d_C_t

    The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#5

    JavaScript Challenge

    ×

    Attack Tool Request

    global_d_839574bd00cc6f9f2a256a599829db04_B_t

    The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#3

    Block

    ×

    Attack Tool Request

    global_d_8917da6c5c8a6aba6ab9156cc9f89d35_B_t

    The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#4

    Block

    ×

    Attack Tool Request

    global_d_adc8a089ad050bd9e2ed1aed2b991526_C_t

    The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#6

    JavaScript Challenge

    ×

    Attack Tool Request

    global_d_bec67b0fe8d26adb09f375c67e355a88_C_t

    The HTTP request may be initiated by a known attack tool, which requires verification based on a combination of request headers.#7

    JavaScript Challenge

    ×

    ×

    Attack Tool Request

    global_d_c660088d7e2385d949fbf594461b06ac_B_t

    The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#5

    Block

    ×

    Attack Tool Request

    global_d_dc71e4b0d53ef00f0631b0db72e95fb7_B_t

    The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#6

    Block

    ×

    Attack Tool Request

    global_d_fc1c525466aaf12d4580ad03763daaf4_B_t

    The HTTP request header User-Agent has the characteristics of requests initiated by known attack tools.#7

    Block

    ×

    Attack Tool Request

    global_spv_2bdf9b3b14f1277aaccc38ae2b2e8a23_B_t

    The HTTP request header Referer has the characteristics of requests initiated by known attack tools.#1

    Block

    ×

    Attack Tool Request

    global_spv_507e041146fa3a0d8abc61b0bb0ba1bf_B_t

    The HTTP request header Referer has the characteristics of requests initiated by known attack tools.#2

    Block

    ×

    Attack Tool Request

    global_spv_b980df6086a5b9bded374883531ceb9a_B_t

    The HTTP request header Referer has the characteristics of requests initiated by known attack tools.#3

    Block

    ×

    High-frequency Attack Request

    global_cc_1321b42f0967324a4581f7df931b4b64_C_t

    High-frequency HTTP requests are initiated to attack a homepage.#1

    JavaScript Challenge

    ×

    ×

    High-frequency Attack Request

    global_cc_3ed2a1a3801ce62eee67a1804dc2682a_C_t

    High-frequency HTTP attack requests are initiated by traversing request headers.#1

    JavaScript Challenge

    ×

    ×

    High-frequency Attack Request

    global_cc_5d4f4eacd0d2e37f0a82ab247bcdcc50_C_t

    High-frequency HTTP attack requests are initiated by using special User-Agent headers.#1

    JavaScript Challenge

    ×

    High-frequency Attack Request

    global_cc_958593f854099089cdec7638c11116f4_C_t

    High-frequency HTTP attack requests are initiated by traversing URIs.#1

    JavaScript Challenge

    ×

    ×

    High-frequency Attack Request

    global_cc_c5d86db096688b00f8ad8cb4c3a3d363_C_t

    High-frequency HTTP attack requests are initiated by traversing request headers.#2

    JavaScript Challenge

    ×

    Attack Request

    global_1_1

    The HTTP request header Ping-To indicates a malicious source.#1

    Block

    ×

    Attack Request

    global_1_3

    The HTTP request header Referer has attack characteristics.#1

    Block

    ×

    Attack Request

    global_1_4

    The HTTP request header Accept has attack characteristics.#1

    Block

    ×

    ×

    Attack Request

    global_d_0226f8975a3bb985c7c069fff282bbdc_B_t

    The HTTP request header User-Agent has attack characteristics.#1

    Block

    ×

    Attack Request

    global_d_34f692ae6798abe9fc822912cfcd4cc5_B_t

    The HTTP request header User-Agent has attack characteristics.#2

    Block

    ×

    ×

    Attack Request

    global_d_c310e8097811299b9f3d968fe771ebc9_B_t

    The HTTP request header User-Agent has attack characteristics.#3

    Block

    ×

    Attack Request

    global_ge_e397de51d53a70ad1ef6daaf332de446_B_t

    The HTTP request header Accept-Language has attack characteristics.#1

    Block

    Attack Request

    global_hm_9c0017d9c9b1aa12ea2df4503d8fae29_B_t

    The HTTP request method has attack characteristics.#1

    Block

    ×

    Attack Request

    global_hm_c1db5bd6d4f9da9739224ca848b60e62_B_t

    The HTTP request method has attack characteristics.#2

    Block

    ×

    Attack Request

    global_online_01

    The HTTP request header User-Agent has attack characteristics.#4

    Block

    Attack Request

    global_online_02

    The HTTP request header Accept-Language has attack characteristics.#2

    Block

    ×

    Attack Request

    global_spv_0_B_t

    The HTTP request header Accept-Language has attack characteristics.#3

    Block

    ×

    Attack Request

    global_spv_1926afcce4ce00198eca856aaaf6fe38_B_t

    The HTTP request header User-Agent has attack characteristics.#5

    Block

    ×

    Attack Request

    global_spv_1_B_t

    The HTTP request URI has attack characteristics.#1

    Block

    ×

    Attack Request

    global_spv_2_B_t

    The HTTP request header Referer has attack characteristics.#2

    Block

    ×

    Attack Request

    global_spv_4957fd08aa78f6e640f2364b087cd117_B_t

    The HTTP request header User-Agent has attack characteristics.#6

    Block

    ×

    ×

    Attack Request

    global_spv_4e580d90c3df0d19e71fb6947caf5489_C_t

    The HTTP request header Accept has attack characteristics.#2

    JavaScript Challenge

    ×

    ×

    Decide whether to change a mode or a mitigation rule

    You can decide whether to change a mode or a mitigation rule from the following dimensions.

    • Impact scope and frequency

      • If a mode causes multiple types of normal user behaviors, such as user logons, uploading, and downloading, to be frequently blocked, you can change the mode.

      • If false positives are generated for only a specific type of user behavior, such as a specific type of client access and website homepage refresh, and most other workloads are normal, a specific mitigation rule may be the cause. In this case, you need to only change the mitigation rule.

    • Service change

      • If major changes, such as new external interfaces and changes to the existing network architecture, are made to your service, the existing mode may no longer be suitable for your service and your service may be adversely affected. In this case, you must change the mode.

      • If your service remains stable and a feature occasionally fails, a specific mitigation rule may not be suitable for your service. In this case, you need to only change the mitigation rule.

    • Adverse impact of mitigation rules on service traffic

      • You can test an existing mode and the mitigation rules by simulating service traffic. If the system blocks a large amount of the simulated service traffic, you may need to change the mode.

      • If the simulated service traffic only hits a specific mitigation rule and a false positive is caused, you need to only change the mitigation rule. For example, if normal high-frequency queries hit a mitigation rule of the high-frequency attack request type, you need to only change the mitigation rule.

    Decide which mitigation rule to change

    In this example, the mitigation rule whose ID is global_cc_1321b42f0967324a4581f7df931b4b64_C_t is used. This mitigation rule is used to protect against attacks that initiate high-frequency HTTP requests to a homepage. This mitigation rule may cause a false positive in the following scenarios:

    • During a large-scale promotional event, a large number of users may frequently refresh the homepage within 1 minute after the event starts. In this case, the system may generate a false positive.

    • After a technical issue of a website is fixed, the website administrator needs to test whether the performance and features of the website are restored. To perform a quick test, the administrator may use automated test tools to simulate frequent visits to the homepage of the website. The frequent visits are designed to check the loading speed and link availability of the homepage but may cause a false positive.

    You can check the attack analysis reports and logs to identify the mitigation rule that causes the false positive. Then, you can disable the mitigation rule or change the action of the mitigation rule to Monitor.

    • Attack analysis reports

      On the Attack Analysis page, find a web resource exhaustion attack and click View Details in the Actions column. On the details page, you can view the effective mitigation rule in the Top 10 Hit Policies section.image

    • Logs

      On the Log Analysis page, enter last_owner in the search box to view the ID of the effective mitigation rule. The mitigation rule whose ID starts with global is a global mitigation rule.

      image

    Usage notes

    • If you add a website to Anti-DDoS Proxy after November 24, 2021, the global mitigation policy in Normal mode is automatically enabled for the domain name of the website.

    • If you add a website to Anti-DDoS Proxy before November 24, 2021, the global mitigation policy is disabled for the domain name of the website. We recommend that you enable the global mitigation policy for the domain name.

    Prerequisites

    A website service is added to Anti-DDoS Proxy. For more information, see Add websites.

    Change mitigation rules

    1. Log on to the General Policies page in the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. Click the Protection for Website Services tab. On the tab, select the domain name that you want to manage from the list on the left side.

    4. In the Anti-DDoS Global Mitigation Policy section, change the mode or click Settings to change the mitigation rules that are contained in the mode.