ALIYUN::DDoS::Policy - Resource Orchestration Service - Alibaba Cloud Documentation Center

ALIYUN::DDoS::Policy is used to create a mitigation policy.

Syntax

{
  "Type": "ALIYUN::DDoS::Policy",
  "Properties": {
    "PolicyName": String,
    "Type": String,
    "ActionType": String,
    "BlackIpList": List,
    "Content": Map,
    "WhiteIpList": List
  }
}

Properties

Property	Type	Required	Editable	Description	Constraint
PolicyName	String	Yes	Yes	The name of the policy.	None.
Type	String	Yes	No	The type of the policy.	Valid values: l3: IP-specific mitigation policy. l4: port-specific mitigation policy.
ActionType	String	No	No	The type of the action.	Valid values: 10: modifies the name. `Name` must be specified when ActionType is set to 10. 11: modifies the blacklist validity period. `BlackIpListExpireAt` must be specified when ActionType is set to 11. Only IP-specific mitigation policies support this value. 12: changes the status of the feature of adding back-to-origin CIDR blocks of Anti-DDoS Proxy to the whitelist. `WhitenGfbrNets` must be specified when ActionType is set to 12. Only IP-specific mitigation policies support this value. 13: changes the status of ICMP blocking. `EnableDropIcmp` must be specified when ActionType is set to 13. Only IP-specific mitigation policies support this value. 20: adds IP addresses to the blacklist or whitelist. `WhiteIpList` or `BlackIpList` must be specified when ActionType is set to 20. Only IP-specific mitigation policies support this value. 21: removes IP addresses from the blacklist or whitelist. `WhiteIpList` or `BlackIpList` must be specified when ActionType is set to 21. Only IP-specific mitigation policies support this value. 22: clears the whitelist. Only IP-specific mitigation policies support this value. 23: clears the blacklist. Only IP-specific mitigation policies support this value. 30: modifies the status and level of intelligent protection. `EnableIntelligence` and `IntelligenceLevel` must be specified when ActionType is set to 30. Only IP-specific mitigation policies support this value. 31: modifies the location blacklist settings. `RegionBlockCountryList` or `RegionBlockProvinceList` must be specified when ActionType is set to 31. Only IP-specific mitigation policies support this value. 32: modifies the settings for source rate limiting. `SourceLimit` and `SourceBlockList` must be specified when ActionType is set to 32. Only IP-specific mitigation policies support this value. 33: modifies the settings for reflection attack filtering. `ReflectBlockUdpPortList` must be specified when ActionType is set to 33. Only IP-specific mitigation policies support this value. 40: creates a port blocking rule. `PortRuleList` must be specified when ActionType is set to 40. Only IP-specific mitigation policies support this value. 41: modifies the port blocking rule. `PortRuleList` must be specified when ActionType is set to 41. Only IP-specific mitigation policies support this value. 42: deletes the port blocking rule. `PortRuleList` must be specified when ActionType is set to 42. Only IP-specific mitigation policies support this value. 50: creates a byte-match filter rule. `FingerPrintRuleList` must be specified when ActionType is set to 50. Only IP-specific mitigation policies support this value. 51: modifies the byte-match filter rule. `FingerPrintRuleList` must be specified when ActionType is set to 51. Only IP-specific mitigation policies support this value. 52: deletes the byte-match filter rule. `FingerPrintRuleList` must be specified when ActionType is set to 52. Only IP-specific mitigation policies support this value. 60: changes the status of port-specific mitigation. `EnableL4Defense` must be specified when ActionType is set to 60. Only port-specific mitigation policies support this value. 61: creates a port-specific mitigation rule. `L4RuleList` must be specified when ActionType is set to 61. Only port-specific mitigation policies support this value. 62: modifies the port-specific mitigation rule. `L4RuleList` must be specified when ActionType is set to 62. Only port-specific mitigation policies support this value. 63: deletes the port-specific mitigation rule. `L4RuleList` must be specified when ActionType is set to 63. Only port-specific mitigation policies support this value.
BlackIpList	List	No	No	The IP addresses in the blacklist.	The blacklist can contain up to 1,999 IP addresses.
Content	Map	No	Yes	The content of the policy.	For more information, see Content properties.
WhiteIpList	List	No	No	The IP addresses in the whitelist.	The whitelist can contain up to 1,999 IP addresses.

Content syntax

"Content": {
  "WhitenGfbrNets": Boolean,
  "PortRuleList": List,
  "RegionBlockCountryList": List,
  "RegionBlockProvinceList": List,
  "FingerPrintRuleList": List,
  "SourceLimit": Map,
  "EnableDefense": Boolean,
  "EnableIntelligence": Boolean,
  "SourceBlockList": List,
  "EnableDropIcmp": Boolean,
  "IntelligenceLevel": String,
  "ReflectBlockUdpPortList": List,
  "BlackIpListExpireAt": Integer,
  "Layer4RuleList": List
}

Content properties

Property	Type	Required	Editable	Description	Constraint
BlackIpListExpireAt	Integer	No	Yes	The expiration time of the IP address blacklist.	None.
EnableDefense	Boolean	No	Yes	Specifies whether to enable port-specific mitigation.	None.
EnableIntelligence	Boolean	No	Yes	Specifies whether to enable intelligent protection.	None.
EnableDropIcmp	Boolean	No	Yes	Specifies whether to enable ICMP blocking.	None.
FingerPrintRuleList	List	No	Yes	The byte-match filter rules.	You can configure up to eight rules. For more information, see FingerPrintRuleList properties.
IntelligenceLevel	String	No	Yes	The level of intelligent protection.	Valid values: default: normal. hard: strict. weak: loose.
Layer4RuleList	List	No	Yes	The port-specific mitigation rules.	You can configure up to eight rules. For more information, see Layer4RuleList properties.
PortRuleList	List	No	Yes	The port blocking rules.	You can configure up to eight rules. For more information, see PortRuleList properties.
RegionBlockCountryList	List	No	Yes	The countries included in the location blacklist.	None.
RegionBlockProvinceList	List	No	Yes	The provinces included in the location blacklist.	None.
ReflectBlockUdpPortList	List	No	Yes	The ports whose traffic is filtered out by the filtering policies for UDP reflection attacks.	Example: {'Length': {'Min': 0, 'Max': 20}}.
SourceLimit	Map	No	Yes	The settings for source rate limiting.	For more information, see SourceLimit properties.
SourceBlockList	List	No	Yes	The source IP addresses that are added to the blacklist for source rate limiting.	For more information, see SourceBlockList properties.
WhitenGfbrNets	Boolean	No	Yes	Specifies whether to add back-to-origin CIDR blocks of Anti-DDoS Proxy to the whitelist.	None.

PortRuleList syntax

"PortRuleList": [
  {
    "SrcPortEnd": Integer,
    "SeqNo": Integer,
    "SrcPortStart": Integer,
    "PortRuleId": String,
    "DstPortStart": Integer,
    "DstPortEnd": Integer,
    "Protocol": String
  }
]

PortRuleList properties

Property	Type	Required	Editable	Description	Constraint
DstPortStart	Integer	Yes	Yes	The start of the destination port range.	Valid values: 0 to 65535.
DstPortEnd	Integer	Yes	Yes	The end of the destination port range.	Valid values: 0 to 65535.
Protocol	String	Yes	Yes	The type of the protocol.	Valid values: tcp udp
SrcPortEnd	Integer	Yes	Yes	The end of the source port range.	Valid values: 0 to 65535.
SeqNo	Integer	Yes	Yes	The sequence number that indicates the order in which the port blocking rule takes effect.	Note A smaller number indicates a higher priority.
SrcPortStart	Integer	Yes	Yes	The start of the source port range.	Valid values: 0 to 65535.
PortRuleId	String	No	Yes	The ID of the port blocking rule.	None.

FingerPrintRuleList syntax

"FingerPrintRuleList": [
  {
    "SrcPortEnd": Integer,
    "SeqNo": Integer,
    "SrcPortStart": Integer,
    "FingerPrintRuleId": String,
    "RateValue": Integer,
    "PayloadBytes": String,
    "DstPortStart": Integer,
    "MatchAction": String,
    "Offset": Integer,
    "MaxPktLen": Integer,
    "MinPktLen": Integer,
    "DstPortEnd": Integer,
    "Protocol": String
  }
]

FingerPrintRuleList properties

Property	Type	Required	Editable	Description	Constraint
DstPortStart	Integer	Yes	Yes	The start of the destination port range.	Valid values: 0 to 65535.
DstPortEnd	Integer	Yes	Yes	The end of the destination port range.	Valid values: 0 to 65535.
MatchAction	String	Yes	Yes	The action triggered if the byte-match filter rule is matched.	Valid values: accept: allows the traffic that matches the conditions in the byte-match filter rule. drop: discards the traffic that matches the conditions in the byte-match filter rule. ip_rate: limits rates on the source IP address whose traffic matches the conditions in the byte-match filter rule. The rate limit is specified by RateValue. session_rate: limits the number of sessions from the source IP address whose traffic matches the conditions in the byte-match filter rule. The rate limit is specified by RateValue.
MaxPktLen	Integer	Yes	Yes	The maximum packet length.	Valid values: 1 to 1500.
MinPktLen	Integer	Yes	Yes	The minimum packet length.	Valid values: 1 to 1500.
Protocol	String	Yes	Yes	The type of the protocol.	Valid values: tcp udp
SrcPortEnd	Integer	Yes	Yes	The end of the source port range.	Valid values: 0 to 65535.
SeqNo	Integer	Yes	Yes	The sequence number that indicates in which the byte-match filter rule takes effect.	The value of this property must be an integer. Note A smaller number indicates a higher priority.
SrcPortStart	Integer	Yes	Yes	The start of the source port range.	Valid values: 0 to 65535.
FingerPrintRuleId	String	No	Yes	The ID of the byte-match filter rule.	None.
Offset	Integer	No	Yes	The offset.	Valid values: 0 to 1500.
PayloadBytes	String	No	Yes	The payload.	None.
RateValue	Integer	No	Yes	The rate limit.	Valid values: 1 to 100000. Note This property must be specified when MatchAction is set to ip_rate or session_rate.

SourceLimit syntax

"SourceLimit": {
  "Pps": Integer,
  "SynBps": Integer,
  "Bps": Integer,
  "SynPps": Integer
}

SourceLimit properties

Property	Type	Required	Editable	Description	Constraint
Bps	Integer	No	Yes	The bandwidth limit on source IP addresses.	Unit: bytes per second.
Pps	Integer	No	Yes	The packets per second (pps) limit on source IP addresses.	Unit: pps.
SynBps	Integer	No	Yes	The bandwidth limit on source SYN packets.	Unit: bytes per second.
SynPps	Integer	No	Yes	The pps limit on source SYN packets.	Unit: pps.

SourceBlockList syntax

"SourceBlockList": [
  {
    "Type": Integer,
    "ExceedLimitTimes": Integer,
    "EverySeconds": Integer,
    "BlockExpireSeconds": Integer
  }
]

SourceBlockList properties

Property	Type	Required	Editable	Description	Constraint
BlockExpireSeconds	Integer	Yes	Yes	The validity period of the blacklist to which the source IP address is added.	Unit: seconds.
ExceedLimitTimes	Integer	Yes	Yes	The number of times that the source IP address exceeds a limit within a statistical period.	None.
EverySeconds	Integer	Yes	Yes	The statistical period during which the system collects data on source IP addresses to determine whether to add the source IP addresses to the blacklist.	Unit: seconds.
Type	Integer	Yes	Yes	The type of the source rate limit.	Valid values: 3: the pps limit on source IP addresses. 4: the bandwidth limit on source IP addresses. 5: the pps limit on source SYN packets. 6: the bandwidth limit on source SYN packets.

Layer4RuleList syntax

"Layer4RuleList": [
  {
    "Action": String,
    "ConditionList": List,
    "Priority": Integer,
    "Method": String,
    "Limited": Integer,
    "Name": String,
    "Match": String
  }
]

Layer4RuleList properties

Property	Type	Required	Editable	Description	Constraint
Action	String	Yes	Yes	The action.	Valid values: 1: accepts traffic. 2: discards traffic.
ConditionList	List	Yes	Yes	The match conditions.	For more information, see ConditionList properties.
Limited	Integer	Yes	Yes	The minimum number of bytes in a session to trigger matching.	Valid values: 0 to 2048.
Method	String	Yes	Yes	The type of the rule.	Valid values: char: string match. hex: hexadecimal string match.
Match	String	Yes	Yes	The condition based on which the action specified in the rule is performed.	Valid values: 0: If the rule is matched, the action specified in the rule is performed. 1: If the rule is not matched, the action specified in the rule is performed.
Name	String	Yes	Yes	The name of the rule.	None.
Priority	Integer	Yes	Yes	The priority of the rule.	Valid values: 1 to 100. Note A smaller value indicates a higher priority.

ConditionList syntax

"ConditionList": [
  {
    "Position": Integer,
    "Arg": String,
    "Depth": Integer
  }
]

ConditionList properties

Property	Type	Required	Editable	Description	Constraint
Arg	String	Yes	Yes	The term that is used for matching.	Note If you set Method to char, the value of Arg must be an ASCII string. If you set Method to hex, the value of Arg must be a hexadecimal string. The term can be up to 2,048 characters in length.
Depth	Integer	Yes	Yes	The number of bytes from the start position for matching.	Valid values: 1 to 2048.
Position	Integer	Yes	Yes	The start position for matching.	Valid values: 0 to 2047.

Return values

Fn::GetAtt

Type: the type of the policy.
Content: the content of the policy.
PolicyName: the name of the policy.
PolicyId: the ID of the policy.

Examples

YAML

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  PolicyName:
    Description:
      en: The name of the policy.
    Required: true
    Type: String
    Default: test_policy_312
Resources:
  ExtensionResource:
    Properties:
      Content:
        EnableIntelligence: true
        SourceBlockList:
          - Type: 4
            ExceedLimitTimes: 5
            EverySeconds: 60
            BlockExpireSeconds: 1200
          - Type: 3
            ExceedLimitTimes: 5
            EverySeconds: 60
            BlockExpireSeconds: 2400
          - Type: 6
            ExceedLimitTimes: 5
            EverySeconds: 60
            BlockExpireSeconds: 3360
          - Type: 5
            ExceedLimitTimes: 5
            EverySeconds: 60
            BlockExpireSeconds: 180
        EnableDropIcmp: true
        PortRuleList:
          - SrcPortEnd: 65535
            SrcPortStart: 0
            SeqNo: 1
            DstPortStart: 0
            DstPortEnd: 65535
            MatchAction: drop
            Protocol: udp
          - SrcPortEnd: 65535
            SrcPortStart: 333
            SeqNo: 2
            DstPortStart: 666
            DstPortEnd: 65535
            MatchAction: drop
            Protocol: tcp
        IntelligenceLevel: weak
        RegionBlockProvinceList:
          - 11
        ReflectBlockUdpPortList:
          - 137
          - 99
          - 916
        FingerPrintRuleList:
          - SrcPortEnd: 65535
            SrcPortStart: 56
            SeqNo: 1
            PayloadBytes: '16'
            RateValue: 100
            DstPortStart: 69
            MatchAction: ip_rate
            Offset: 56
            MaxPktLen: 33
            DstPortEnd: 65535
            MinPktLen: 2
            Protocol: tcp
        SourceLimit:
          Pps: 66
          SynBps: 1024
          Bps: 1024
          SynPps: 66
        BlackIpListExpireAt: 1734489860
      PolicyName:
        Ref: PolicyName
    Type: ALIYUN::DDoS::Policy
Outputs:
  Content:
    Description: Configuration Content.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - Content
  PolicyId:
    Description: The ID of the policy.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - PolicyId
  PolicyName:
    Description: The name of the policy.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - PolicyName
  Type:
    Description: The type of the policy.
    Value:
      Fn::GetAtt:
        - ExtensionResource
        - Type

JSON

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "PolicyName": {
      "Description": {
        "en": "The name of the policy."
      },
      "Required": true,
      "Type": "String",
      "Default": "test_policy_312"
    }
  },
  "Resources": {
    "ExtensionResource": {
      "Properties": {
        "Content": {
          "EnableIntelligence": true,
          "SourceBlockList": [
            {
              "Type": 4,
              "ExceedLimitTimes": 5,
              "EverySeconds": 60,
              "BlockExpireSeconds": 1200
            },
            {
              "Type": 3,
              "ExceedLimitTimes": 5,
              "EverySeconds": 60,
              "BlockExpireSeconds": 2400
            },
            {
              "Type": 6,
              "ExceedLimitTimes": 5,
              "EverySeconds": 60,
              "BlockExpireSeconds": 3360
            },
            {
              "Type": 5,
              "ExceedLimitTimes": 5,
              "EverySeconds": 60,
              "BlockExpireSeconds": 180
            }
          ],
          "EnableDropIcmp": true,
          "PortRuleList": [
            {
              "SrcPortEnd": 65535,
              "SrcPortStart": 0,
              "SeqNo": 1,
              "DstPortStart": 0,
              "DstPortEnd": 65535,
              "MatchAction": "drop",
              "Protocol": "udp"
            },
            {
              "SrcPortEnd": 65535,
              "SrcPortStart": 333,
              "SeqNo": 2,
              "DstPortStart": 666,
              "DstPortEnd": 65535,
              "MatchAction": "drop",
              "Protocol": "tcp"
            }
          ],
          "IntelligenceLevel": "weak",
          "RegionBlockProvinceList": [
            11
          ],
          "ReflectBlockUdpPortList": [
            137,
            99,
            916
          ],
          "FingerPrintRuleList": [
            {
              "SrcPortEnd": 65535,
              "SrcPortStart": 56,
              "SeqNo": 1,
              "PayloadBytes": "16",
              "RateValue": 100,
              "DstPortStart": 69,
              "MatchAction": "ip_rate",
              "Offset": 56,
              "MaxPktLen": 33,
              "DstPortEnd": 65535,
              "MinPktLen": 2,
              "Protocol": "tcp"
            }
          ],
          "SourceLimit": {
            "Pps": 66,
            "SynBps": 1024,
            "Bps": 1024,
            "SynPps": 66
          },
          "BlackIpListExpireAt": 1734489860
        },
        "PolicyName": {
          "Ref": "PolicyName"
        }
      },
      "Type": "ALIYUN::DDoS::Policy"
    }
  },
  "Outputs": {
    "Content": {
      "Description": "Configuration Content.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "Content"
        ]
      }
    },
    "PolicyId": {
      "Description": "The ID of the policy.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "PolicyId"
        ]
      }
    },
    "PolicyName": {
      "Description": "The name of the policy.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "PolicyName"
        ]
      }
    },
    "Type": {
      "Description": "The type of the policy.",
      "Value": {
        "Fn::GetAtt": [
          "ExtensionResource",
          "Type"
        ]
      }
    }
  }
}