- Updates and Announcements
- Product Introduction
- Differences Between the Old and New Versions
- Comparison of Anti-DDoS Protection Schemes
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Anti-DDoS Pro Instance List APIs
- Anti-DDoS Advanced Instance APIs
- Protection Configuration APIs
- ModifyPacketFilterConfig
- ModifyDDoSSpeedLimitConfig
- ModifyDDoSGeoIPBlockConfig
- DescribeListWaterPrintConfig
- DescribeListProtocolBlockConfig
- DescribeListProtectThresholdConfig
- DescribeListPacketFilterConfig
- DescribeListDDoSSpeedLimitConfig
- DescribeListDDoSGeoIPBlockConfig
- DescribeListDDoSAI
- DescribeListBlackWhiteIpList
- DescribeBlackWhiteIpList
- DeleteWaterPrintKey
- DeleteWaterPrintConfig
- DeletePacketFilterConfig
- DeleteDDoSSpeedLimitConfig
- DeleteDDoSGeoIPBlockConfig
- DeleteBlackWhiteIpList
- CreateWaterPrintKey
- CreateWaterPrintConfig
- CreateProtocolBlockConfig
- CreatePacketFilterConfig
- CreateDDoSSpeedLimitConfig
- CreateDDoSGeoIPBlockConfig
- CreateDDoSAI
- CreateBlackWhiteIpList
- SwitchWaterPrintConfig
- ModifyCcBlackWhiteIpList
- DescribeCcGeoIPBlockConfigList
- DescribeCcBlackWhiteIpList
- DeleteCcGeoIPBlockConfig
- DeleteCcBlackWhiteIpList
- CreateCcGeoIPBlockConfig
- CreateCcBlackWhiteIpList
- Intelligent Scheduling APIs
- Alarm Notification APIs
- Resource List APIs
- Connection Configuration APIs
- Statistical Report APIs
- Other APIs
- Data Types
- Error Codes
- FAQs
- Legacy Anti-DDoS Pro
- Anti-DDoS Basic
- Service Level Agreement
- Anti-DDoS Pro Policy
- Glossary
- Updates and Announcements
- Product Introduction
- Differences Between the Old and New Versions
- Comparison of Anti-DDoS Protection Schemes
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Troubleshooting
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Anti-DDoS Pro Instance List APIs
- Anti-DDoS Advanced Instance APIs
- Protection Configuration APIs
- ModifyPacketFilterConfig
- ModifyDDoSSpeedLimitConfig
- ModifyDDoSGeoIPBlockConfig
- DescribeListWaterPrintConfig
- DescribeListProtocolBlockConfig
- DescribeListProtectThresholdConfig
- DescribeListPacketFilterConfig
- DescribeListDDoSSpeedLimitConfig
- DescribeListDDoSGeoIPBlockConfig
- DescribeListDDoSAI
- DescribeListBlackWhiteIpList
- DescribeBlackWhiteIpList
- DeleteWaterPrintKey
- DeleteWaterPrintConfig
- DeletePacketFilterConfig
- DeleteDDoSSpeedLimitConfig
- DeleteDDoSGeoIPBlockConfig
- DeleteBlackWhiteIpList
- CreateWaterPrintKey
- CreateWaterPrintConfig
- CreateProtocolBlockConfig
- CreatePacketFilterConfig
- CreateDDoSSpeedLimitConfig
- CreateDDoSGeoIPBlockConfig
- CreateDDoSAI
- CreateBlackWhiteIpList
- SwitchWaterPrintConfig
- ModifyCcBlackWhiteIpList
- DescribeCcGeoIPBlockConfigList
- DescribeCcBlackWhiteIpList
- DeleteCcGeoIPBlockConfig
- DeleteCcBlackWhiteIpList
- CreateCcGeoIPBlockConfig
- CreateCcBlackWhiteIpList
- Intelligent Scheduling APIs
- Alarm Notification APIs
- Resource List APIs
- Connection Configuration APIs
- Statistical Report APIs
- Other APIs
- Data Types
- Error Codes
- FAQs
- Legacy Anti-DDoS Pro
- Anti-DDoS Basic
- Service Level Agreement
- Anti-DDoS Pro Policy
- Glossary
Configuration Directions and Notes on CC Protection Policy
Last updated: 2022-06-13 17:14:23
Anti-DDoS Pro provides CC attack protection, the protection policy features protection level, cleansing threshold, precise protection, and CC frequency limit, etc. After connecting your business, you can configure CC attack protection policy as instructed in this document to use Anti-DDoS Pro to safeguard your business.
Step 1: Set Cleansing Threshold
- Log in to the Anti-DDoS Pro console and select Anti-DDoS Pro (New) > Configurations > CC Protection.
- Select an Anti-DDoS Pro instance ID in the list on the left, such as "bgp-00xxxxxx".
- To enable CC protection in the "CC Protection and Cleansing Threshold" section, click
and set a cleansing threshold.
Note:- The Anti-DDoS Advanced CC protection will be enabled once you set a cleansing threshold. A value that 1.5 times your common business peak is recommended.
- The Anti-DDoS Pro cleansing feature will remain disabled if no threshold value is set, and the protection level, precise protection, and CC frequency limit you configured in the console will not be in effect even when your business is under CC attacks. For more information, please see CC Protection and Cleansing Threshold.
Step 2: Set CC Protection Level
- Click Set in the CC Protection and Cleansing Threshold section to enter the rule list.
- Click Create. Select an associated IP and a domain name, and set the defense status and cleaning threshold.
Note:
- Wildcard domain names are not supported.
- When you create CC frequency limiting rules, CC protection is enabled by default.
- Connected Anti-DDoS Pro instances will use the default cleansing threshold, and the system will generate a baseline based on historical patterns of your application traffic. You can set a cleansing threshold for a single domain name.
3. Click Save.
Step 3: Set Precise Protection Policy
When your business is under attack, we recommend deriving the attack characteristics from the specific attack request information obtained through packet capture, middleware access logs, and other protection devices to configure your precise protection policy based on your business.
You can enable precise protection to configure protection policies combining multiple conditions of common HTTP fields, such as URI, UA, Cookie, Referer, and Accept to screen access requests. For the requests that match the conditions, you can configure CAPTCHA to verify requesters or a policy to automatically discard the packets.
- Click Set in the Precise Protection section to enter the rule list.
- Click Create. On the pop-up page, enter the required fields, and click OK. For more information, please see Precise Protection.
Note:
- If a policy involves multiple HTTP fields, the policy can be matched if all conditions are met.
- Precise protection for HTTPS businesses is currently supported for Anti-DDoS Advanced but not for Anti-DDoS Pro.
Field description:
| Field | Field Description |
|---|---|
| URI | The URI of an access request. |
| UA | The identifier and other information of the client browser that initiates an access request. |
| cookie | The cookie information in an access request. |
| Referer | The source website of an access request, from which the access request is redirected. |
| Accept | The data type to be received by the client that initiates the access request. |
| Match condition | CAPTCHA and discard
|
Step 4: Set CC Frequency Limit
Anti-DDoS Advanced supports configuring CC frequency policy for connected web businesses to restrict the access frequency of source IPs. You can customize a frequency policy to apply CAPTCHA and discard on source IPs if any IP accesses a certain page too frequently in a short time.
- Click Set in the CC Frequency Limit section to enter the rule list.
- You can create new rules, or edit existing rules by changing the defense level.
Note:
If the Anti-DDoS Advanced CC attack protection is enabled, the cleansing will be triggered when there is attack traffic, of which the detection strictness is the protection level. There are five available levels for you to select based on actual attacks: Loose, Urgent Medium, Strict and Custom. For more information, please see CC Protection and Cleansing Threshold.
- Click Create. On the pop-up page, enter the required fields, and click OK. For detailed configurations, please see CC Frequency Limiting.
Note:
- Newly created rules only take effect in the "Custom" mode.
- When configuring a CC frequency limit policy targeting the URI field, you need to configure a frequency limit on the directory
/first and the match mode must be "equals to". Then you can configure the URI access frequency limit on other directories.- If a source IP accesses the
/directory of the domain name for more than the set number of times in the set period, the set action (CAPTCHA or Discard) will be triggered.- If a frequency limit policy is configured for the
/directory of a domain name, then the frequency of the domain name's other directories must be the same.- If the request URI contains any unfixed string, you can set the match mode to "include", so that URIs with the set prefix will be matched.
Field description:
| Field | Field Description |
|---|---|
| Cookie | The cookie information in an access request. |
| User-Agent | The identifier and other information of the client browser that initiates an access request. |
| URI | The URI of an access request. |
| Frequency limit policy | CAPTCHA and discard
|
| Check condition | Set the access frequency based on your business, for which a value 2 to 3 times the common number of access requests is recommended. For example, if your website is accessed averagely 20 times per minute, you can configure the value to 40 to 60 times per minute or adjust it according to the attack severity. |
| Blocking time | The longest period is a whole day. |
Yes
No
Was this page helpful?