How to configure a DDoS mitigation policy for non-website services - Anti-DDoS

Anti-DDoS Proxy allows you to configure a DDoS mitigation policy to protect non-website services against Layer 4 DDoS attacks. The policy includes the following features: false source, empty connection, rate limit for source, and speed limit for destination. You can configure a DDoS mitigation policy for a specific port forwarding rule when you create port forwarding rules for an Anti-DDoS Proxy instance and associate a non-website service with the instance. You can also configure a DDoS mitigation policy for multiple port forwarding rules at a time. This topic describes how to add a DDoS mitigation policy.

Introduction

For non-website services, a DDoS mitigation policy is configured based on IP addresses and ports. To mitigate connection-oriented DDoS attacks, you can configure the request rate, packet length, and other parameters based on your business requirements. A DDoS mitigation policy only applies to ports.

Anti-DDoS Proxy allows you to configure the following features in a DDoS mitigation policy for non-website services:

False Source: Verifies and filters DDoS attacks initiated from forged IP addresses.
Advanced Attack Mitigation: Detects and mitigates DDoS attacks that rapidly send an excessively large number of abnormal packets following a TCP three-way handshake, typically from botnets like Mirai.
Note
Anti-DDoS Pro instances that use IPv4 addresses can configure this feature, while Anti-DDoS Pro instances that use IPv6 addresses cannot.
Packet Feature Filtering: Accurately distinguishes between normal service traffic and attack traffic by analyzing packet payloads to protect against attacks. This feature also allows you to configure access control rules based on application-layer protocols.
Note
Only Anti-DDoS Proxy (Chinese Mainland) instances of the Enhanced function plan that use IPv4 addresses can configure this feature.
Rate Limit for Source: Limits the data transfer rate of a source IP address based on the IP address and port of an instance if the access requests exceed an upper limit. The data transfer rates of source IP addresses from which access requests do not exceed the upper limits are not limited. The rate limit for source feature supports blacklist settings. You can add an IP address from which access requests exceed an upper limit five times within 60 seconds to a blacklist. You can also specify the blocking period for a blacklist.
Speed Limit for Destination: Limits the data transfer rate of the port used by an instance based on the IP address and port of the instance if the transfer rate exceeds an upper limit. The data transfer rates of other ports are not limited.
Packet Length Limit: Specifies the minimum and maximum lengths of packets that are allowed to pass through. Packets with invalid lengths are discarded.

Prerequisites

A non-website service is added to Anti-DDoS Proxy. For more information, see Manage forwarding rules.

Configure a DDoS mitigation policy for a single port forwarding rule

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the General Policies page, click the Protection for Non-website Services tab, and select the Anti-DDoS Proxy instance you want to manage at the top of the page.

Click the forwarding rule you want to configure from the list on the left to set the protection policy.

False Source: In the False Source section, turn on or off False Source or Empty Connection.

Parameter	Description
False Source	Turn on this switch to block requests from forged IP addresses. After you turn on the switch, Anti-DDoS Proxy automatically filters requests initiated from forged IP addresses. Note This feature applies only to TCP rules.
Empty Connection	Turn on this switch to block requests that attempt to establish null sessions. After you turn on the switch, Anti-DDoS Proxy automatically filters requests that attempt to establish null sessions. Note This policy applies only to TCP rules. To enable this feature, you must first turn on False Source.

Advanced Attack Mitigation: In the Advanced Attack Mitigation section, turn on or off the feature. You can also select a protection mode. We recommend that you select the Normal mode.

Note

This feature applies only to TCP rules.
To enable the advanced attack mitigation feature, you must first turn on False Source.

Protection mode	Effect	Scenario
Loose	This mode blocks requests that have obvious attack characteristics. A small number of attacks may be allowed, but the false positive rate is low.	This mode is suitable for services that involve large-scale one-way data transmission, such as live streaming, streaming media, and data downloads, or services that require high bandwidth on origin servers.
Normal (recommended)	In most cases, this mode does not affect your workloads and balances protection effects and low false positive rates. We recommend that you use this mode.	This mode is suitable for most scenarios.
Strict	This mode helps enforce strict attack verification. In some cases, this mode causes false positives.	This mode is suitable for scenarios in which the origin server has limited bandwidth or the protection effect is weak.

Packet Feature Filtering: Configure precise access control rules based on the packet payloads. If a single rule contains multiple matching conditions, all conditions must be satisfied to trigger the corresponding action.

Parameter	Description
Priority	Assign a value between 1 to 100, with a lower value indicating higher priority.
Rule Name	Name your monitoring rule for easy identification.
Match Conditions	Match Conditions: Define the format of the packet payload. Select either String or Hexadecimal. Match Range: Specify the start and end positions for payload matching. The valid range for both positions is from 0 to 1499 bytes. The start position must not exceed the end position. Logical Operator: Select either Include or Not Include. Field Value: If Match Conditions is set to String, the matching content length must not exceed 1500 bytes and should be within the range specified by the start and end positions. If Match Conditions is set to Hexadecimal, the content must consist of hexadecimal characters, not exceed 3000 characters, be an even number, and fit within the specified range.
Action	Monitor: Permits the request if it matches the monitor rule. Block: Rejects the request if it matches the block rule.

Rate Limit for Source: In the Rate Limit for Source section, click Settings, configure the parameters, and then click OK.

Parameter	Description
New Connections Limit for Source	This parameter specifies the maximum number of new connections per second that can be initiated from a single IP address. Valid values: 1 to 50000. New connections initiated from the IP address after the upper limit is reached are dropped. Automatic: Anti-DDoS Proxy dynamically calculates the maximum number of new connections per second that can be initiated from a single source IP address. Manual: You must manually specify the maximum number of new connections per second that can be initiated from a single source IP address. Note The limit on new connections may be slightly different from actual scenarios because scrubbing nodes are deployed in clusters. Blacklist settings: If you select the If the number of new connections from a source exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
Concurrent Connections Limit for Source	This parameter specifies the maximum number of concurrent connections that can be initiated from a single IP address. Valid values: 1 to 50000. Concurrent connections to the port after the upper limit is reached are dropped. Blacklist settings: If you select the If the number of concurrent connections from a source exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
PPS Limit for Source	This parameter specifies the maximum number of packets per second that can be allowed from a single IP address. Valid values: 1 to 100000. Packets initiated from the IP address after the upper limit is reached are dropped. Blacklist settings: If you select the If the source PPS exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.
Bandwidth Limit for Source	This parameter specifies the maximum bandwidth of a single IP address. Valid values: 1024 to 268435456. Unit: bytes/s. Blacklist settings: If you select the If the bandwidth of connections from a source exceeds the limit five times within 60 seconds, the source IP address is added to the blacklist. check box, all requests from IP addresses in the blacklist are dropped. To enable the blacklist settings, configure Blacklist Validity Period. Valid values: 1 to 10080. Unit: minutes. Default value: 30. An IP address added to a blacklist is removed from the blacklist when the validity period ends.

Speed Limit for Destination: In the Speed Limit for Destination section, click Settings. In the Change Settings dialog box, configure the required parameters and click OK.

Parameter	Description
New Connections Limit for Destination	This parameter specifies the maximum number of new connections per second that can be established over an Anti-DDoS Proxy port. Valid values: 100 to 100000. Requests initiated from the IP address after the upper limit is reached are dropped. Note The limit on new connections may be slightly different from actual scenarios because scrubbing nodes are deployed in clusters.
Concurrent Connections Limit for Destination	This parameter specifies the maximum number of concurrent connections that can be established on an Anti-DDoS Proxy port. Valid values: 1000 to 1000000. Requests sent to the port after the upper limit is reached are dropped.

Packet Length Limit: In the Packet Length Limit section, click Settings. In the Settings dialog box, specify the minimum and maximum lengths of the payload contained in a packet and click OK. Valid values: 0 to 1500. Unit: bytes.

Configure a DDoS mitigation policy for multiple port forwarding rules at a time

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Port Config.
On the Port Config page, select the instance that you want to manage and choose Batch Operations > Create Mitigation Policy below the rule list.
In the Create Mitigation Policy dialog box, follow the required formats to enter the content of a DDoS mitigation policy and click OK.
Note
You can also export DDoS mitigation policies to a TXT file, modify the content in the TXT file, and then copy and paste the modified content to the required field. The format of a DDoS mitigation policy in the exported file must be the same as the format of the policy that you want to create. For more information, see Export multiple port configurations at a time.
- Configure only one DDoS mitigation policy in each row for each port forwarding rule.
- When you configure a DDoS mitigation policy, the fields from left to right indicate the following parameters: forwarding port, forwarding protocol (tcp or udp), new connections limit for source, concurrent connections limit for source, new connections limit for destination, concurrent connections limit for destination, minimum packet length, maximum packet length, false source, and empty connection. Separate the fields by space.
- The forwarding port must be a port specified in a forwarding rule.
- The valid values of the false source and empty connection fields are on and off. The value off specifies that the feature is disabled.