Anti-DDoS(Outside Chinese Mainland)

Domain Name Access page, you need to "Add Website", fill in the information of the site to be protected, and complete the required fields as specified. 243.3.2 Port Access Configuration Port Access: When integrating non-website services (e.g., client applications) with DDoS Protection, it is necessary to configure port forwarding rules. This ensures that business traffic is first scrubbed by the DDoS Protection service before being forwarded to your origin servers. In the left-hand navigation pane, select Access Management > Port Access. After selecting the DDoS Protection instance, click "Add Port Forwarding Rule". Complete the rule configuration and click "Confirm". 25Note: A rule marked with an exclamation mark icon next to the forwarding protocol indicates that it was automatically generated when configuring website services, specifically for forwarding website traffic. Such rules do not support manual editing or deletion. They will be automatically removed once all associated website configurations using that rule are disassociated from the current DDoS Protection instance. For details on configuring website services, please refer to "Add Website Configuration". If the server port in the website configuration is 80, a rule with forwarding protocol TCP and forwarding port 80 will be automatically generated. If the server port in the website configuration is 443, a rule with forwarding protocol TCP and forwarding port 443 will be automatically generated. 263.3.3 Traffic Dispatcher Traffic Dispatcher: Equipped with built-in DDoS protection and scrubbing capabilities, it provides access acceleration and advanced protection for all integrated services. When under attack, there is no need to switch to a DDoS Protection (Non-Chinese Mainland) line to mitigate DDoS attacks. It achieves direct scrubbing and protection while maintaining fast access to business services.  Important: The Secure Acceleration line only protects business traffic from within Mainland China; routing for non-Mainland China access will not work. If you have business access requirements outside Mainland China, you must combine it with DDoS Protection (Non-Chinese Mainland) - Insurance Plan or Unlimited Plan, using the Traffic Dispatcher solution for access.  Acceleration Line: Provides access acceleration capabilities but does not include DDoS protection and scrubbing capabilities. It must be deployed simultaneously with DDoS Protection (Non-Chinese Mainland) - Insurance Plan or Unlimited Plan. 27When under attack, mitigation can only be achieved by switching to the DDoS Protection (Non-Chinese Mainland) line. If attacks are frequent, frequent line switching will be required.  Restriction: When accessing the Secure Acceleration line via port configuration, UDP port access is not supported. 283.4 Protection Management The Protection Management section describes the protection configurations you can set up. It supports protection at the Instance, Domain, and Port levels 3.4.1 Instance Protection 3.4.1.1 Blacklist/Whitelist Allows you to set up blacklists and whitelists for your DDoS Protection instance to block or allow access requests from specified IP addresses. Once configured, these settings apply to all services under that instance.  Access traffic from IP addresses on the Blacklist will be directly dropped by the DDoS Protection instance.  Access traffic from IP addresses on the Whitelist will be directly allowed by the DDoS Protection instance. If an IP address appears in both the blacklist and whitelist, the Whitelist takes precedence.  DDoS Protection supports both instance-level and domain-level blacklists/whitelists. Domain-level Blacklist/Whitelist: Applies only to the specific domain(s). 293.4.1.2 Regional Blocking Regional Blocking enables one-click blocking of access traffic from specified geographical regions at the DDoS scrubbing centers, achieving the goal of blocking illegitimate requests. DDoS Protection supports two types of regional blocking policies: Instance-level Regional Blocking and Domain-level Regional Blocking.  Instance-level Regional Blocking (as described in this section): The blocking policy applies to all services protected by the DDoS Protection instance.  Domain-level Regional Blocking: The blocking policy applies only to the specified domain(s). General Guideline: For port-based services, configure Instance-level Regional Blocking. For website services, configure Domain-level Regional Blocking. If both are configured simultaneously, the Instance-level policy takes precedence.  Usage Limitation: This feature does not support batch operations. If you need to enable regional blocking for multiple DDoS Protection instances, you must configure them separately. 303.4.1.3 UDP Reflection Attack Protection After configuring UDP port forwarding rules, DDoS Protection will, by default, block some commonly used ports associated with UDP reflection attacks. If these blocked ports conflict with your business requirements, or if you wish to manually block other UDP ports, you can adjust the list of blocked ports. Important Notes:  Only DDoS Protection instances purchased with the Enhanced Feature Package support configuring UDP Reflection Attack Protection.  If you have not added any port forwarding rules on the Port Access page, or have only added TCP protocol forwarding rules, DDoS Protection will by default discard all UDP protocol traffic. In this case, you do not need to configure UDP Reflection Attack Protection. This setting is only required after UDP port forwarding rules have been configured.  UDP Reflection Attack Protection is applied at the DDoS Protection instance level. All UDP port forwarding rules configured on the instance will use the filtering policies set here. 31 The UDP ports blocked by DDoS Protection by default (as part of the one-click filtering strategy) include: 17, 19, 69, 111, 123, 137, 161, 389, 1194, 1900, 3389, 3702, 11211. 323.4.2 Port Protection Intelligent Protection Feature DDoS Protection instances have the Intelligent Protection feature enabled by default. This feature employs algorithms to autonomously learn the historical traffic patterns of the integrated services and adaptively adjusts layer-4 traffic scrubbing policies to provide defense effects tailored to the specific business scenarios. After integrating your service with DDoS Protection, you will automatically receive Normal-level Intelligent Protection capability without any manual configuration required. If the defensive effectiveness of the Normal level is not ideal, you can manually select a more Permissive or Strict Intelligent Protection level based on your actual needs. 33Anti-DDoS Proxy allows you to configure a DDoS mitigation policy to protect non-website services against Layer 4 DDoS attacks. The policy includes the following features: false source, empty connection, rate limit for source, and speed limit for destination. This topic describes how to add a DDoS mitigation policy. For non-website services, a DDoS mitigation policy is configured based on IP addresses and ports. To mitigate connection-oriented DDoS attacks, you can configure the request rate, packet length, and other parameters based on your business requirements. A DDoS mitigation policy only applies to ports. Anti-DDoS Proxy allows you to configure the following features in a DDoS mitigation policy for non-website services:  False Source: Verifies and filters DDoS attacks initiated from forged IP addresses.  Advanced Attack Mitigation: Detects and mitigates DDoS attacks that rapidly send an excessively large number of abnormal packets following a TCP three-way handshake, typically from botnets like Mirai.  Packet Feature Filtering: Accurately distinguishes between normal service traffic and attack traffic by analyzing packet payloads to protect against attacks. This feature 34also allows you to configure access control rules based on application-layer protocols.  Whitelist: Sets a whitelist based on ports, allowing access requests from whitelisted IPs to pass through without interception.  Rate Limit for Source: Limits the data transfer rate of a source IP address based on the IP address and port of an instance if the access requests exceed an upper limit. The data transfer rates of source IP addresses from which access requests do not exceed the upper limits are not limited. The rate limit for source feature supports blacklist settings. You can add an IP address from which access requests exceed an upper limit five times within 60 seconds to a blacklist. You can also specify the blocking period for a blacklist.  Speed Limit for Destination: Limits the data transfer rate of the port used by an instance based on the IP address and port of the instance if the transfer rate exceeds an upper limit. The data transfer rates of other ports are not limited.  Packet Length Limit: Specifies the minimum and maximum lengths of packets that are allowed to pass through. Packets with invalid lengths are discarded. 3.4.3 Website Protection 3.4.3.1 Use the intelligent protection feature The intelligent protection feature is automatically enabled for website services that are added to Anti-DDoS Pro or Anti-DDoS Premium. The intelligent protection feature automatically learns traffic patterns to detect and block new types of HTTP flood attacks. This topic describes how to use the intelligent protection feature. Anti-DDoS Pro and Anti-DDoS Premium provide the intelligent protection feature based on traditional attack mitigation methods for various business forms and ever-changing attack scenarios. The intelligent protection feature is developed based on the big data 35technologies of Alibaba Cloud. The feature automatically learns traffic patterns and uses algorithms to analyze attacks. Then, the feature applies accurate access control rules to adjust protection modes and to detect and block attacks at the earliest opportunity. The attacks include web attacks, such as bots and HTTP flood attacks. 3.4.3.2 Configure the global mitigation policy feature The global mitigation policy feature contains general mitigation rules that are accumulated based on the attack and defense experience of Anti-DDoS Proxy. After you 36enable the global mitigation policy feature, the feature can help reduce the risks that are caused by attacks on your websites. This topic describes how to configure the global mitigation policy feature. The global mitigation policy feature supports the following modes: Loose, Normal, and Strict. The following table describes the modes. After you configure a forwarding rule for a domain name, Anti-DDoS Proxy automatically enables the global mitigation policy feature and uses the Normal mode for the domain name. You can change the mode based on your business requirements. 373.4.3.3 Configure blacklists and whitelists for domain names Anti-DDoS Proxy offers a feature for blacklisting or whitelisting domain names, allowing or blocking access requests from specific IP addresses without applying any protection policies. This topic outlines the steps to configure this feature. When you add a website service to an Anti-DDoS Proxy instance, you can blacklist malicious IP addresses with high access volumes to block their requests. Conversely, you can whitelist trusted IP addresses, such as those from internal office networks, business interface calls, or other verified IPs, to permit their requests and bypass blocking. If an IP address is on both the blacklist and the whitelist, the whitelist takes precedence. Anti-DDoS Proxy supports two types of blacklists and whitelists: IP-address-based and domain-name-based.  IP-address-based blacklist or whitelist: This feature is applicable to all services added to an instance and can be enabled for port services. For more information, see Configure blacklists and whitelists for IP addresses.  Domain-name-based blacklist or whitelist: This feature is specific to designated domain names. 38Limits  IP and CIDR Block Limits: Standard Plan: You can add up to 200 IP addresses or CIDR blocks to all domain name blacklists and another 200 to all domain name whitelists under the same Alibaba Cloud account. Enhanced Plan: You can add up to 2,000 IP addresses or CIDR blocks to all domain name blacklists and another 2,000 to all domain name whitelists under the same Alibaba Cloud account.  Once enabled, the settings are applied to each instance associated with the domain names and immediately affect the traffic of the domain names.  Configuration restrictions for blacklist and whitelist: 1. IPv4-only instances support IPv4 addresses or CIDR blocks, while IPv6-only instances support IPv6 addresses or CIDR blocks. 2. IPv4 CIDR blocks range from /8 to /32, and IPv6 CIDR blocks range from /32 to /128. 3. IPv4 addresses cannot be set to 0.0.0.0 or 255.255.255.255, and IPv6 addresses cannot be set to :: or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff. 393.4.3.4 Configure the location blacklist (domain names) feature This topic describes how to configure a location blacklist for a website that is protected by an Anti-DDoS Proxy instance. After you enable the feature, you can add a location to the location blacklist to block requests from IP addresses that reside within the location with a few clicks. Regional Blocking (for Domains) only supports protecting website services. For non-website services with similar requirements, it is recommended that you configure traffic blocking under the Infrastructure DDoS Protection policy. The system does not support bulk configuration of regional blocking for multiple domains. If you need to set regional blocking for multiple domains, you must configure them individually. Regional Blocking (for Domains) identifies and filters traffic within the DDoS Protection system based on the geographical region of the source IP. It does not reduce the volume of attack traffic entering the protection network. 403.4.3.5 Configure HTTP flood protection After you add your website to Anti-DDoS, you can configure rules based on specific HTTP field characteristics if you experience an HTTP flood attack. These rules enhance the detection and blocking of HTTP flood attacks and can be used for scenarios such as hotlink protection and protecting your website''s management backend. This topic describes how to configure HTTP flood mitigation policies.  Introduction to products that defend against HTTP flood attacks 41A Challenge Collapsar (CC) attack is a type of distributed denial-of-service (DDoS) attack. CC attacks are typically Application-layer attacks. In a CC attack, an attacker uses multiple controlled hosts to continuously send forged HTTP or HTTPS requests to a target web server. For example, an attacker might frequently request a search or logon page that consumes a large amount of server resources. This exhausts the server''s resources or network bandwidth, which causes the website to respond slowly and become unable to process requests from legitimate users. Unlike traditional network-layer DDoS attacks, HTTP flood attacks are more stealthy because they mimic legitimate user requests. To improve the security of your website services, Alibaba Cloud provides Anti-DDoS Pro, Anti-DDoS Premium, and Web Application Firewall (WAF) to defend against HTTP flood attacks.  Anti-DDoS Pro and Anti-DDoS Premium Anti-DDoS Pro and Anti-DDoS Premium focus on protecting against volumetric attacks. These products ensure that your network infrastructure is not affected by bandwidth or resource exhaustion. They are typically deployed at the network edge. Anti-DDoS Pro and Anti-DDoS Premium provide intelligent protection and HTTP flood mitigation to defend against HTTP flood attacks. 1. Intelligent protection: This feature uses Alibaba Cloud''s big data capabilities to learn your website''s traffic patterns. The feature uses algorithms to analyze attack anomalies and automatically generates accurate access control rules. It dynamically adjusts the protection model for your services to help you promptly detect and block malicious web attacks, such as malicious bots and HTTP flood attacks. After you add a website to Anti-DDoS Pro or Anti-DDoS Premium, intelligent protection is enabled by default. For more information, see Configure intelligent protection. 2. HTTP flood mitigation: This is the feature described in this topic. If your website is under an HTTP flood attack, you can analyze the characteristics of its HTTP request fields. You can then create accurate access control rules or frequency control rules 42for your website. These rules use measures such as rate limiting, behavior analysis, and IP blacklists to improve your defense against DDoS attacks.  Web Application Firewall (WAF) WAF primarily analyzes HTTP and HTTPS traffic at the application layer. It identifies and protects against malicious patterns in the service traffic of your website or application. This prevents issues, such as performance degradation, that are caused by malicious intrusions into your web server. WAF uses multiple methods to identify and defend against application-layer attacks. These methods include input validation, rule sets for specific vulnerabilities, session tracing, and protection mechanisms such as verification codes, JavaScript challenges, and cookie validation. WAF is typically deployed close to the server. This deployment allows WAF to closely monitor traffic that reaches the server and enforce application-layer security policies. The two products have different protection focuses. If your primary concern is HTTP flood attacks, Anti-DDoS Pro and Anti-DDoS Premium are recommended if the attack volume is high, for example, if an attack makes your website inaccessible. If the attack volume is not high, for example, if your website is only responding slowly, Web Application Firewall is recommended. However, for the best protection, we recommend that you deploy both products. This deployment ensures that your website services are protected from malicious traffic and attackers. 433.5 Query and analysis 3.5.1 View information on the Attack Analysis page After you add your service to your Anti-DDoS Proxy instance, you can view the events and details of attacks that are detected on the instance, to obtain information such as the source IP addresses of attacks, distribution of attack types, and attack distribution by source location. This helps ensure a transparent protection process and improve user experience of protection analysis. You can also specify custom configurations. This topic describes how to query attack events on the Attack Analysis page. Attack event types: 44 Web Resource Exhaustion:Attackers simulate regular users to send service requests to a web service whose domain name is added to an Anti-DDoS Proxy instance. The attackers frequently access pages that consume a large number of resources in the web service. As a result, the resources of the servers are exhausted, and the web service cannot respond to normal service requests.If attackers send service requests to multiple domain names that are added to an Anti-DDoS Proxy instance at the same time, multiple attack events of the Web Resource Exhaustion type are recorded.  Connection Type:Attackers establish TCP or UDP connections to a service port that is added to an Anti-DDoS Proxy instance. As a result, the servers of the service are overloaded and cannot process new connection requests, and service failures may occur.If attackers send connection requests to multiple service ports that are added to an Anti-DDoS Proxy instance at the same time, multiple events of connection flood attacks are recorded.  Volumetric:Attackers send a multitude of service requests from a large number of zombie servers to the IP address of an Anti-DDoS Proxy instance at the same time. As a result, the network devices and servers are overloaded, and network congestion and service failures may occur.If attackers send service requests to the IP addresses of multiple Anti-DDoS Proxy instances at the same time, multiple volumetric attack events are recorded. 453.5.1.1 Web Resource Exhaustion 4647483.5.1.2 Connection Type 493.5.1.3 Volumetric 50513.6 Logs 52">