All Products
Search

This Product

    Anti-DDoS:Configure the global mitigation policy feature

    Document Center

    Anti-DDoS:Configure the global mitigation policy feature

    更新時間:Jul 24, 2024

    After you add your service to an Anti-DDoS Proxy instance for protection, a global mitigation policy is automatically bound to the instance. This policy can effectively reduce the risks that are caused when an attack occurs. This topic describes the built-in global mitigation policies and how to configure a policy.

    What is a global mitigation policy?

    A global mitigation policy is a collection of common mitigation rules that are accumulated from a large number of daily attack and defense events handled by the anti-DDoS engine. The policy can mitigate volumetric attacks with known characteristics. When an attack with known characteristics occurs, the policy immediately takes effect and reduces the risks caused by the attack.  

    A global mitigation policy takes effect on all service resources that are added to an Anti-DDoS Proxy instance for protection. If multiple websites, application services, and cross-region service nodes are added to the same Anti-DDoS Proxy instance for protection, the global mitigation policy bound to the instance takes effect on all protected objects.

    Note

    A global mitigation policy takes effect only when the IP address of an Anti-DDoS Proxy instance is under attack.

    Policy description

    The built-in global mitigation policies are Normal, Loose, and Strict. If you purchase an Anti-DDoS Proxy instance, the Normal global mitigation policy is automatically applied. If the built-in global mitigation policies do not meet your requirements, contact your account manager to create custom global mitigation policies.

    Policy

    Mitigation method

    Description

    Loose

    • Filters out malformed packets that do not conform to protocol specifications.

    • Filters out TCP, UDP, and ICMP packets that have clear attack characteristics.

    • Filters out fragmented packets and packets that are not transmitted over TCP, UDP, or ICMP.

    • Filters out all traffic that does not conform to the protocol of the forwarding port.

    The Loose global mitigation policy protects only against packets that have clear attack characteristics. However, traffic of complicated attacks may be transparently transmitted to your origin server. We recommend that you select this policy only if false positives are generated for your service.

    Normal

    • Filters out malformed packets that do not conform to protocol specifications.

    • Filters out TCP, UDP, and ICMP packets that have clear attack characteristics.

    • Filters out fragmented packets and packets that are not transmitted over TCP, UDP, or ICMP.

    • Filters out all traffic that does not conform to the protocol of the forwarding port.

    • Verifies some IP addresses from which abnormal requests are initiated and implements rate limiting on the IP addresses.

    • Verifies UDP packets and limits UDP packets based on the verification results.

    The Normal global mitigation policy balances between service availability and protection effectiveness. This policy is suitable for most services and can mitigate common DDoS attacks.

    Strict

    • Filters out malformed packets that do not conform to protocol specifications.

    • Filters out TCP, UDP, and ICMP packets that have clear attack characteristics.

    • Filters out fragmented packets and packets that are not transmitted over TCP, UDP, or ICMP.

    • Filters out all traffic that does not conform to the protocol of the forwarding port.

    • Strictly verifies some IP addresses from which requests are initiated and implements rate limiting on the IP addresses.

    • Strictly verifies UDP packets and limits UDP packets based on the verification results.

    The Strict global mitigation policy provides strong protection. In rare cases, false positives may be generated. We recommend that you select this policy only if attack traffic is transparently transmitted to your origin server.

    Prerequisites

    A website service or non-website service is added to Anti-DDoS Proxy. For more information, see Add websites or Manage forwarding rules.

    Configure a global mitigation policy

    1. Log on to the Anti-DDoS Proxy console.

    2. In the left-side navigation pane, choose Mitigation Settings > General Policies.

    3. In the Anti-DDoS Global Mitigation Policy section of the Protection for Infrastructure tab, select a global mitigation policy from the Mitigation Policy drop-down list. You can select Loose, Normal, or Strict.