Configuring a Basic Protection Policy to Intercept Attack Traffic

After your service is connected to CNAD, you can set basic protection policies for the protected objects. If the DDoS bandwidth on an IP address exceeds the configured threshold, CNAD is triggered to scrub attack traffic to ensure service availability.

If the selected threshold does not align with the workloads, some attacks may not be properly defended against, or service traffic may be inaccurately scrubbed. Choose a value closest to the purchased bandwidth but not exceeding it.

Limitations and Constraints

If you have a custom policy, you cannot change the traffic scrubbing threshold. To change the traffic scrubbing threshold, submit a service ticket to Huawei technical support.

Enabling Basic Protection

Log in to the management console.
Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Protection Policies. The Protection Policies page is displayed.
Click Create Protection Policy.
In the displayed dialog box, set the policy name, select an instance, and click OK.

Figure 1 Creating a policy
In the row containing the target policy, click Set Protection Policy in the Operation column.
In the Basic Protection area, click Set.

Figure 2 Basic protection

In the Basic Protection Settings dialog box that is displayed, set the traffic scrubbing threshold.

Figure 3 Basic protection settings

**Table 1** Parameter description
Parameter	Description
Traffic Scrubbing Level	If the DDoS bandwidth on an IP address exceeds the configured scrubbing level, CNAD is triggered to scrub attack traffic. You are advised to set a value closest to, but not exceeding, the purchased bandwidth. NOTE: The traffic scrubbing threshold should be selected based on the service bandwidth and is unrelated to protection policies. If the threshold is set significantly lower than the actual service bandwidth, false alarms may be generated. Conversely, if the threshold is set much higher than the actual service bandwidth, some attacks might not be effectively defended against. Therefore, it is recommended to choose a value as close as possible to the actual service bandwidth but not exceeding the purchased bandwidth.
Defense Mode	If the traffic reaches the specified scrubbing level, traffic scrubbing is triggered. Loose: Scrubbing is triggered when the traffic reaches three times the scrubbing level. This mode is recommended to mitigate the impact on services when traffic is incorrectly scrubbed. Normal: Scrubbing is triggered when the traffic reaches twice the scrubbing level. This mode is recommended for the default protection policy. Strict: Scrubbing is triggered when the traffic reaches the scrubbing level. This mode is recommended to enhance defense after there have been escaped attacks.

Click OK. The basic protection policy configuration is completed.

Parent Topic: Adding a Protection Policy

Previous topic: Protection Policy Overview

Next topic: Using Watermarks to Defend Against CC Attacks

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot