After you configure the UDP port forwarding rule, the Anti-DDoS Proxy will, by default, block certain ports that are commonly targeted for UDP reflection attacks. If these default settings disrupt your operations or if you want to customize the list of blocked ports, you can manually adjust the configuration. This topic provides guidance on configuring the ports to be blocked.
Usage notes
The UDP reflection attack mitigation feature is available only for Anti-DDoS Proxy instances with the Enhanced Function Plan.
If no UDP port forwarding rules are added on the Port Config page, or if only TCP port forwarding rules are present, Anti-DDoS Proxy will by default discard all UDP traffic. In this case, there is no need to configure this feature. You only need to configure it after creating a UDP port forwarding rule.
By default, the Anti-DDoS Proxy blocks all ports listed in the One-click Filtering Policies, such as 17, 19, 69, 111, 123, 137, 161, 389, 1194, 1900, 3389, 3702, 11211.
When the UDP reflection attack mitigation feature is applied to Anti-DDoS Proxy instances, the filtering policies will take effect on all UDP port forwarding rules configured for the instance.
Validity period
Once configured, the policy remains in effect indefinitely.
Prerequisites
An Anti-DDoS Proxy instance of the Enhanced function plan is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.
A UDP port forwarding rule is created on the Port Config page. For more information, see Configure port forwarding rules.
Procedure
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Protection for Infrastructure tab, select the instance that you want to manage from the list on the left.
You can locate an instance by searching for its ID or description.
Navigate to the UDP Reflection Attack Mitigation section and click Settings.
In the Configure Filtering Policies for UDP Reflection Attacks panel, define the filtering policy by specifying ports over which UDP reflection attacks may be launched, and click OK.
One-click Filtering Policies: The list includes common UDP reflection attack types and ports over which attacks are launched. Anti-DDoS Proxy automatically blocks all ports in this list by default.
Custom Filtering Policy: Enter the ports over which you want Anti-DDoS Proxy to discard the UDP traffic. The ports must be within the range of 0 to 65535. You can specify up to 20 ports. Separate multiple ports with commas (,).
You can use this method to configure filtering policies only for ports that are not in the One-click Filtering Policies list.