Configuring an Anti-DDoS Protection Policy

Scenarios

You can adjust your Anti-DDoS protection policy after Anti-DDoS is enabled.

Prerequisites

You have obtained a username and password for logging in to the management console.

Procedure

Log in to the management console.
Click in the upper left corner of the management console and select the region and project.
Click in the upper left corner of the page and choose Security & Compliance > Anti-DDoS.

Figure 1 Anti-DDoS
Click the Public IP Addresses tab, locate the row that contains the IP address for which you want to set protection, and click Set Protection in the Operation column.

Figure 2 Protection settings

In the Set Protection dialog box, modify desired parameters. Table 1 describes the parameters.

Figure 3 Protection settings
Click to enlarge

**Table 1** Parameter description
Parameter	Description
Protection Settings	Default: In this mode, Traffic Cleaning Threshold is fixed at 120 Mbps. When the service UDP traffic is greater than 120 Mbps or the TCP traffic is greater than 35,000 pps, traffic scrubbing is triggered and Anti-DDoS will automatically intercept the attack traffic. Manual: In this mode, you can set the value of Traffic Cleaning Threshold based on your service needs and enable CC Defense. NOTE: Mbps = Mbit/s (short for 1,000,000 bit/s). It is a unit of transmission rate and refers to the number of bits transmitted per second. PPS, short for Packets Per Second, is a measure of throughput for network devices. It means the number of packets sent per second.
Traffic Cleaning Threshold	Anti-DDoS scrubs traffic when detecting that the incoming traffic of an IP address exceeds the threshold. When Protection Settings is set to Default, the value of Traffic Cleaning Threshold is 120 Mbps by default. When Protection Settings is set to Manual, the value of Traffic Cleaning Threshold can be set based on your service needs. You are advised to set the threshold to a value closest to the purchased bandwidth but not greater than the purchased bandwidth. NOTE: If service traffic triggers scrubbing, only attack traffic is intercepted. If service traffic does not trigger scrubbing, no traffic is intercepted. Set this parameter based on the actual service access traffic. You are advised to set a value closest to, but not exceeding, the purchased bandwidth.
CC Defense	Disable: disables the defense. Enable: enables the defense. NOTE: Challenge Collapsar (CC) defense is available only for clients supporting the full HTTP protocol stack because CC defense works in redirection or redirection+verification code mode. If your client does not support the full HTTP protocol stack, you are advised to disable CC defense.
HTTP Request Threshold	This parameter is required only when CC Defense is set to Enable. The unit is qps (short for queries per second). QPS is a common measure of the amount of search traffic an information retrieval system, such as a search engine or a database, receives during one second. This parameter is used to defend against a large number of malicious requests targeting websites. Defense against CC attacks, which aim to exhaust server resources by sending specially crafted GET or POST requests, is triggered when the HTTP request rate on a site reaches the selected value. In the EIP address protection, the maximum recommended value is 5000. In ELB protection, the value can be larger. You are advised to set this parameter to the maximum number of HTTP requests that can be processed by the deployed service. Anti-DDoS will automatically scrub traffic if detecting that the total number of requests exceeds the configured HTTP request threshold. If the value is too large, CC defense will not be triggered promptly. If the actual HTTP request rate is smaller than the configured value, the deployed service is able to process all HTTP requests, and Anti-DDoS does not need to be involved. If the actual HTTP request rate is greater than or equal to the configured value, Anti-DDoS triggers CC defense to analyze and check each request, which affects responses to normal requests.