Using Advanced Protection Policies to Restrict Abnormal Connections

Limitations and Constraints

The advanced protection function is still in the open beta test (OBT) phase. This function is supported only by Unlimited Protection Advanced Edition instances in some regions. You can submit a service ticket to enable this function.

Enabling Advanced Protection

1. Log in to the management console.
2. Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
3. In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Protection Policies. The Protection Policies page is displayed.
4. Click Create Protection Policy.
5. In the displayed dialog box, set the policy name, select an instance, and click OK.
   Figure 1 Creating a policy
   

6. In the row containing the target policy, click Set Protection Policy in the Operation column.
7. In the Connection Protection area, click Set.
   Figure 2 Advanced protection
   

8. Set protection parameters as required.
   Figure 3 Connection protection settings
   

   Table 1 Parameter description

   Type	Parameter	Description
   Detection Threshold	Check the number of concurrent connections to the destination IP address.	When the number of the concurrent TCP connections of a destination IP address exceeds Threshold, defense against connection flood attacks is started. After the defense is started, the source IP address starts to be checked.
   	Check the rate of new connections to the destination IP address.	When the number of the new TCP connections per second of a destination IP address exceeds the Detection Threshold, defense against connection flood attacks is started. After the defense is started, the source IP address starts to be checked.
   Protection Action	TCP connection exhaustion defense	After TCP connection exhaustion defense is enabled, the following parameters can be set: Check new connections to source IP address: The system checks for new connections to the source IP address at regular intervals. If the number of new connections exceeds the specified threshold within the specified interval, the origin server's IP address is blocked until the block period ends. Check concurrent connections to source IP address: If the number of concurrent TCP connections from an IP address exceeds the specified threshold, the IP address is temporarily blocked. Access resumes once the block period ends.
   	Application-layer null connection defense	After Application-layer null connection defense is enabled, you can set the following parameters: HTTP: The system monitors HTTP connections for each source IP address. If the number of connections exceeds the specified threshold, the system blocks access from that IP address by adding it to the blacklist. Access is automatically restored when the block period ends. HTTPS: The system monitors HTTPS connections for each source IP address. If the number of connections exceeds the specified threshold, the system blocks access from that IP address by adding it to the blacklist. Access is automatically restored when the block period ends.

9. Click OK.