All Products
Search

This Product

    Anti-DDoS:Configure port-specific mitigation policies

    Document Center

    Anti-DDoS:Configure port-specific mitigation policies

    Last Updated:Feb 02, 2024

    To protect elastic IP addresses (EIPs) with Anti-DDoS (Enhanced) enabled, you can configure port-specific mitigation policies to allow or discard traffic that has specific characteristics to mitigate TCP flood attacks (application-layer flood attacks on non-website services) that are launched against your non-website service and monitor and filter application-layer traffic in a fine-grained manner. This topic describes how to configure port-specific mitigation policies.

    Usage notes

    • Assets of regular Alibaba Cloud services support only IP-specific mitigation policies. EIPs with Anti-DDoS (Enhanced) enabled support both IP-specific and port-specific mitigation policies. If you configure both IP-specific and port-specific mitigation policies, IP-specific mitigation policies have a higher priority.

    • You can associate only one port-specific mitigation policy with a port.

    Prerequisites

    A port of an EIP with Anti-DDoS (Enhanced) enabled is added to a mitigation policy on the Protected Objects page. For more information, see Add objects for protection.

    Procedure

    1. Log on to the Traffic Security console.

    2. In the left-side navigation pane, choose Network Security > Anti-DDoS Origin > Mitigation Settings.

    3. Click Create Policy. In the Create Policy panel, configure Policy Name and select Port-specific Mitigation Policy in the Select Policy Type section. Then, click OK.

    4. In the The policy is created. message, click OK.

    5. Click Create Rule, configure rules for the policy, and then click Next.

      Parameter

      Description

      Rule Name

      The name of the rule. You can add up to 10 rules to each mitigation policy.

      Minimum Bytes to Trigger Matching

      The minimum number of bytes in a session to trigger matching. Valid values: 0 to 2048. Default value: 0. The value specifies that matching is triggered when a session contains at least a byte.

      If you set this parameter to 1500 and the number of bytes in a session is less than 1,500, the rule does not take effect.

      Rule Type

      The type of session to detect. Valid values: String Match (ASCII) and Hexadecimal String Match.

      Match Conditions

      • Start Position: the start position of the detection. Valid values: 0 to 2047. The value 0 indicates the first byte. The value 1 indicates the second byte. All values follow the same rule.

      • Match Range in Bytes from Start Position: the number of bytes detected from the start position. Valid values: 1 to 2048. If you set this parameter to 20 and the Start Position parameter to 10, the eleventh to thirtieth bytes in a session are detected.

      • Term to Match: the content to match. The content is a string and can be up to 2,048 characters in length.

      Priority

      The priority of the detection. A smaller value indicates a higher priority. Valid values: 1 to 100.

      Logical Operator

      The condition based on which an action is performed.

      Action

      The method to process a session that hits the rule. The value is fixed as Discard.

    6. In the Protected Assets section of the Objects to Select step, search for the required port and protocol by region, EIP name, and IP address. Then, select the Port/Protocol and click Add.

    What to do next

    • To modify a port-specific mitigation policy, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to modify and click Modify Protection Rule in the Actions column.

      Important

      After you modify a mitigation policy, the new mitigation policy takes effect on all protected objects. Proceed with caution.

    • To delete a port-specific mitigation policy, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to delete and click Delete in the Actions column.

      Important

      If the mitigation policy that you want to delete is attached to an object, you cannot delete the mitigation policy. You must detach the mitigation policy from the protected object before you can delete the mitigation policy.

    • To attach a mitigation policy to an object for protection or detach a protected object from a mitigation policy, select Port-specific Mitigation Policy on the Mitigation Settings page. Find the policy that you want to manage and click Add Object for Protection in the Actions column.

    Examples

    Your game is deployed by using EIP with Anti-DDoS (Enhanced) enabled and provides services over TCP and ports 8191 and 8192. We recommend that you block HTTP requests for daily operations after you add the game for protection, or use a tool, such as a packet capture tool, to analyze the characteristics of the attack requests and modify port-specific mitigation policies after the game is attacked.

    The following table describes the configurations to block HTTP requests.

    Parameter

    Description

    Minimum Bytes to Trigger Matching

    Set the value to 0.

    Rule Type

    Select String Match (ASCII).

    Match Conditions

    • Start Position: Set the value to 0.

    • Match Range in Bytes from Start Position: Set the value to 3.

    • Term to Match: Set the value to GET.

    Priority

    Set the value to 1.

    Logical Operator

    Set the value to Hit.

    Action

    The value is fixed as Discard. When the system detects that the first three bytes of a session is a GET string, the system discards the session.