To protect elastic IP addresses (EIPs) with Anti-DDoS (Enhanced) enabled, you can configure port-specific mitigation policies to allow or discard traffic that has specific characteristics to mitigate TCP flood attacks (application-layer flood attacks on non-website services) that are launched against your non-website service and monitor and filter application-layer traffic in a fine-grained manner. This topic describes how to configure port-specific mitigation policies.
Usage notes
Assets of regular Alibaba Cloud services support only IP-specific mitigation policies. EIPs with Anti-DDoS (Enhanced) enabled support both IP-specific and port-specific mitigation policies. If you configure both IP-specific and port-specific mitigation policies, IP-specific mitigation policies have a higher priority.
You can associate only one port-specific mitigation policy with a port.
This feature is in public preview. Contact your account manager to enable it.
Applicability
A port of an EIP with Anti-DDoS (Enhanced) enabled is added to a mitigation policy on the Protected Objects page. For more information, see Add objects for protection.
Procedure
Log on to the Traffic Security console.
In the left-side navigation pane, choose .
Click Create Policy. In the Create Policy panel, configure Policy Name and select Port-specific Mitigation Policy in the Select Policy Type section. Then, click OK.
In the The policy is created. dialog box, click OK to go to the Create Rule page.
On the Create Rule page, click Create Rule. Configure the protection rules for the policy template. Then, click Next.
Rule Name: Enter a custom name. You can add up to 10 rules to each policy template.
Match Conditions: Click Add Condition to configure matching conditions.
NoteYou can add up to 10 conditions.
Rule Type: Choose String or Hexadecimal.
Match Range: Valid values for the start position and end position: 0 to 1499. The start position must be less than or equal to the end position.
Logical Operator: Choose Yes or No.
Term to Match:
If Rule Type is String, the term length must not exceed 1500 characters. Also, end position minus start position plus 1 must be greater than or equal to the term length.
If Rule Type is Hexadecimal, the term must contain only hexadecimal characters, must not exceed 3000 characters, and must have an even number of characters. Also, end position minus start position plus 1 must be greater than or equal to half the term length.
Action:
Monitor: Record hits only. Do not block traffic.
Block: Discard the current request.
In the Protected Assets section, under Objects to Select, select a Protected Instance.
Select the Asset IP Address. Then, in the Port/Protocol section, select the ports you want to protect.
After configuration, click Add.
Related operations
To modify a port-specific mitigation policy, go to the Mitigation Settings page. In the top-left corner, select Port-specific Mitigation Policy from the drop-down list. Find the target policy and click Actions, then Modify Mitigation Policy.
ImportantAfter you modify a mitigation policy, the new mitigation policy takes effect on all protected objects. Proceed with caution.
To delete a port-specific mitigation policy, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to delete and click Delete in the Actions column.
ImportantIf the mitigation policy that you want to delete is attached to an object, you cannot delete the mitigation policy. You must detach the mitigation policy from the protected object before you can delete the mitigation policy.
To attach a mitigation policy to an object for protection or detach a protected object from a mitigation policy, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to manage and click Add Object for Protection in the Actions column.