Help Center/ Anti-DDoS Service/ User Guide/ CNAD Advanced (CNAD) Operation Guide/ Adding a Protection Policy/ Configuring a Basic Protection Policy to Intercept Attack Traffic
Updated on 2025-02-08 GMT+08:00

Configuring a Basic Protection Policy to Intercept Attack Traffic

After your service is connected to CNAD, you can set basic protection policies for the protected objects. If the DDoS bandwidth on an IP address exceeds the configured threshold, CNAD is triggered to scrub attack traffic to ensure service availability.

If the selected threshold does not align with the workloads, some attacks may not be properly defended against, or service traffic may be inaccurately scrubbed. Choose a value closest to the purchased bandwidth but not exceeding it.

Limitations and Constraints

If you have a custom policy, you cannot change the traffic scrubbing threshold. To change the traffic scrubbing threshold, submit a service ticket to Huawei technical support.

Enabling Basic Protection

  1. Log in to the management console.
  2. Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
  3. In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Protection Policies. The Protection Policies page is displayed.
  4. Click Create Protection Policy.
  5. In the displayed dialog box, set the policy name, select an instance, and click OK.

    Figure 1 Creating a policy

  6. In the row containing the target policy, click Set Protection Policy in the Operation column.
  7. In the Basic Protection area, click Set.

    Figure 2 Basic protection

  8. In the Basic Protection Settings dialog box that is displayed, set the traffic scrubbing threshold.

    Figure 3 Basic protection settings
    Table 1 Parameter description

    Parameter

    Description

    Traffic Scrubbing Level

    If the DDoS bandwidth on an IP address exceeds the configured scrubbing level, CNAD is triggered to scrub attack traffic.

    You are advised to set a value closest to, but not exceeding, the purchased bandwidth.

    NOTE:

    The traffic scrubbing threshold should be selected based on the service bandwidth and is unrelated to protection policies. If the threshold is set significantly lower than the actual service bandwidth, false alarms may be generated. Conversely, if the threshold is set much higher than the actual service bandwidth, some attacks might not be effectively defended against. Therefore, it is recommended to choose a value as close as possible to the actual service bandwidth but not exceeding the purchased bandwidth.

    Defense Mode

    If the traffic reaches the specified scrubbing level, traffic scrubbing is triggered.

    • Loose: Scrubbing is triggered when the traffic reaches three times the scrubbing level. This mode is recommended to mitigate the impact on services when traffic is incorrectly scrubbed.
    • Normal: Scrubbing is triggered when the traffic reaches twice the scrubbing level. This mode is recommended for the default protection policy.
    • Strict: Scrubbing is triggered when the traffic reaches the scrubbing level. This mode is recommended to enhance defense after there have been escaped attacks.

  9. Click OK. The basic protection policy configuration is completed.