Quick Start Guide
User Guide
Dashboard
Analysis & Logs
API Inventory
Security Settings
Policies
Basic Concept
General Protection
DDoS Protection
Set DDoS Policies
Set App/API Exceptions
Web Protection
Bot Management
API Security
Threat Intelligence (Value Added Services)
Change History
Best Practices

Set DDoS Policies

Last update:2025-05-22 18:33:16

Distributed Denial of Service (DDoS) attacks are malicious acts where attackers control zombie networks/proxy devices, etc., to send a large amount of requests or data to the target website or server. This results in slow loading when normal users access the website, or even completely unable to access. CDNetworks’s DDoS protection relies on the advantages of CDN resources, combined with big data analysis, independently developed protection algorithms, real-time detection and cleaning of all kinds of DDoS attacks, ensuring the website can remain stable online even in the face of large-scale DDoS attacks.

Once you turn on DDoS protection, CDNetworks will automatically detect and mitigate DDoS attacks on your website. You can also adjust and optimize the DDoS protection policies as needed.

1. Go to DDoS Protection page

  1. Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
  2. Go to Security Settings > Policies.
  3. Find the hostname for which you want to configure security policies, click image.png.
  4. Go to DDoS Protection tab. If DDoS Protection is off, turn it on.

2. L3/4 DDoS Protection

CDNetworks automatically detects and mitigates OSI Model 3/4 layer DDoS attacks by default, including SYN Flood, ACK Flood, ICMP Flood, UDP Flood, various reflection attacks (such as NTP reflection, Memcache reflection, SSDP reflection), etc. To protect the platform infrastructure and the availability of all customers, this protection is turned on by default and cannot be turned off.

3. L7 DDoS Protection

DDoS Protection at the application layer are based on the intelligent protection engine, combining Managed Protection and Adaptive Protection mechanisms, to ensures the availability and stability of the business when the application layer (such as HTTP/HTTPS) is attacked by DDoS attacks through automatic attack detection and dynamic protection policy adjustment.

3.1 Dual Mechanisms for Coordinated Protection

3.1.1 Managed rule protection

Based on the massive attack signature database and the experience of attack and defense confrontation by the security expert team, the managed rule set presets the rules for common application-layer attacks such as abnormal request parameters, protocol specification violations, and suspicious high-frequency requests. The rule set is deployed on CDNetworks globally distributed edge nodes to support second-level accurate attack matching and interception.

3.1.2 AI intelligent protection

Automated attack monitoring:Based on the capabilities of CDNetworks security big data platform, the machine learning model continuously analyzes the business request baseline of the websites, continuously monitors the hostname traffic characteristics, request distribution, origin server response status and other indicators, to determine the attack type, attack intensity and origin server status in real time
Adaptive protection policies:Automatically switch the protection mode based on the selected protection level and the detected attack status:

  • When hostnames are attacked by CC, adaptively enable managed rules to intercept firstly.
  • When the managed rules do not completely block the attack and the availability of the origin server is still threatened, the system will automatically identify abnormal attack requests and generate protection rules based on the self-developed algorithm, so as to implement multi-dimensional handling such as dynamic blocking, human-machine verification, and request rate limiting, effectively mitigating new application-layer DDoS attacks to protect the origin server.

3.1.3 Overall protection logic

Hostname access, learning begins: When a new hostname is accessed, the engine will automatically issue a preset threshold according to the selected protection level to ensure that the service can obtain timely protection at the initial stage. Meanwhile, the engine will generate a service-specific protection threshold and AI protection rules through 2-6 hours of domain name traffic learning, and dynamically update them every hour to achieve accurate attack positioning and adaptive protection.

The first line of defense - Edge defense activated, quick interception: When a hostname suffers a small number of CC attacks, the “Enable During Attack” managed rule deployed at the edge node will take effect quickly, achieving attack interception and handling in seconds. Managed rule mode details can be found in the rule mode below.

The second line of defense - Full hostname protection enabled, a large number of cleaning: When the system detects that the attack traffic continues to increase, it will deliver the “Enable During Attack” managed rule in the hostname dimension to implement attack traffic cleaning.

The third line of defense - Adaptive protection rules are generated, protect the origin server: If the system detects that the attack still misses and affects the availability of the origin server, the AI intelligent protection will enhance the protection, locate the attack and issue the corresponding rules according to the specific attack characteristics that have been learned. The currently supported types of AI rules are as follows:

  • Rate limiting rules are used to protect against high-frequency attacks
  • Empty request header rule, used to protect against attacks where the request header is abnormally empty
  • UA specific rules to protect against UA anomaly attacks
  • JA4 rules to protect against JA4 anomaly aggregation attacks

The attack is over: When the system detects that the traffic of a hostname lasts for 15 minutes and does not meet the conditions for determining the attack, it judges that the attack is over. At this time, the “Enable During Attack” rule will be deactivated, and all AI rules will be deleted.

3.2 Choose the Appropriate Protection Level

After enabling Anti-DDoS at the application layer, you need to select the appropriate protection Level according to the needs of different business scenarios. Each level will affect the attack detection sensitivity and AI rule generation threshold. Refer to the following table for the selection of level:

Level Protection Effect Application Scenario Attack Detection Sensitivity Adaptive Protection Rule Generation Threshold
Loose By default, the AI engine blocks specific malicious attacks that are known, and it only starts adaptive protection when it detects that the availability of the website is significantly reduced due to attacks. The probability of false interception of normal requests is extremely low. It is suitable for websites with a large number of requests and strong processing capabilities, or special business scenarios such as an activity. Low (Required Condition: The system detects a significant drop in the availability of the origin server) Middle
Moderate (Recommended)  It can effectively protect against common malicious attacks and adapt to most business scenarios. It is suitable for websites with stable request volume and normal business processing capabilities. Middle Middle
Strict Enable strict protection policies for malicious attacks, which may lead to partial false blocking. It is suitable for websites with a small number of requests and weak processing capabilities, or suitable for business scenarios with strict cleaning requirements. High High

Note: Since the AI engine automatically determines whether a hostname is under CC attack based on metrics such as the request volume and availability of the domain name, and the activity scenario is often accompanied by high request volume and reduced availability, there is a high possibility of false positives, and it is recommended to manually adjust the policy before the event to avoid false positives

3.3 Set Managed Protection

In most cases, we recommend that you enable managed rule protection by default and leave the related action and rule mode as they are.

3.3.1. Adjust the Action or Security Level

If your business expects a legitimate traffic surge (e.g., a big promotion, a new product launch), you can avoid false interceptions by adjusting the configuration items of the managed rules. There are two types of configuration items.

  • Action - When the request matches this managed rule, the system automatically performs protective actions against it, as described below:
Action Description
Deny Intercept request and respond to a 403
Log Only logs are recorded, and requests are not processed
DDoS Managed Challenge Dynamically select the appropriate way to challenge based on request characteristics, including Cookie validation and JavaScript validation
Deny Connection Releases established TCP connections with clients and rejects new connections
  • Rule Mode - defines the effective scenario of each built-in rule. The intelligent protection engine can adaptively switch the rule mode according to the detected application layer DDoS attack status. The specific description is as follow:
Rule Mode Description
Default On Always in effect regardless of whether an attack is detected
Enable During Attack When the intelligent engine detects an attack on a hostname, it enables the rule for this mode
Essentially Off Only when the intelligent engine detects that the hostname has been attacked and the scale of the attack has affected the performance of the node infrastructure, the rules of this mode take effect
Not Used Never in effect regardless of whether an attack is detected

3.3.2. Add App/API Exceptions

Managed rules with the action “DDoS Managed Challenge” will perform Cookie Challenge or JavaScript Challenge based on request characteristics, and is only applicable to Web/H5 webpage type websites. If your website is a native App/hybrid App/callback API or other businesses, you need to make an exception for the request characteristics of the App/API to avoid causing a large amount of false positive.

Type Description Need to add an exception? Note
Native App Use the official development languages, development libraries, and tools of Android and iOS Platform for development. For example, Android’s Java language and iOS’s object-c language. Generally no exceptions are needed. The managed rule whose action is “DDoS Managed Challenge” only takes effect for the browser’s User-Agent (Mozilla or Opera). If you are a native app and use the browser’s User-Agent, you need to add exceptions.
Hybrid App It uses the development technology of native app and also applies HTML5 development technology. It is a hybrid application of native and HTML5 technology. An exception is required. Exceptions should be made based on the characteristics of your hybrid APP. When native page requests and HTML5 page requests have distinctly different characteristics, it is recommended to only make exceptions for the characteristics of native page requests, such as User-Agent=AppName/1.0.0 (Android; 10; Pixel 3) okhttp/3.8.1.
Callback API When a certain event occurs, the system automatically calls the registered callback function to process the related data. Such as payment callback API, data sync callback API, etc. An exception is required. Exceptions should be made based on the characteristics of your callback API, such as URI=/api/callback.
Other Program API Other program APIs that do not support “DDoS Managed Challenge”. An exception is required. Exceptions should be made based on the characteristics of your program API, such as URI=/api/other.

Specific configuration methods refer to: Set App/API Exceptions

The configured App/API exceptions only apply to managed rules with the action “DDoS Managed Challenge”.

3.4 Set Adaptive Protection

When Adaptive Protection is enabled, the engine will automatically issue corresponding rules for protection according to the selected protection level and attack characteristics. Usually, it is recommended that you turn on it and keep the mode as protection to ensure the best protection effect.

3.4.1. Adjust Rule Actions

If you want to observe and analyze traffic characteristics in advance; If you need to reduce the risk of false interception in case of attack, you can adjust the relevant intelligent Mode based on the actual business requirements. The selection of the mode will determine the action of the rules issued by the engine, and the comparison relationship and specific description are shown in the following table:

Mode Corresponding Action Description
Protect(Default) Deny The rules directly block requests that hit the rules
Protect(Managed) DDoS Managed Challenge Based on the request characteristics of the web client, the system adaptively triggers the cookie or JavaScript verification mechanism, so as to effectively reduce the false interception rate in this scenario
Monitor Log Only requests that hit the rule are logged in the attack log

3.4.2. View Adaptive Protection Rules

How the rule is named

By viewing the name of the intelligent protection rule, you can quickly locate the attack type in the operation scenario. Rule naming method: AI__xxxxx, for example:AI_Limit_high-rate_URL_requests_xxxx, then we can know that the rule type currently in effect is frequency limit rule.

View the requests that hit the adaptive protection rule

  • During an attack, view the rules that are currently in effect
    If the current attack is occurring and Adaptive Protection has been triggered, you can directly view the currently generated protection rules in  Security Policy> DDoS Protection page, L7 DDoS Protection > Adaptive Protection list
  • View details of requests that hit rules through the attack log
    If you want to analyze the request logs hit by rules, verify whether the rules accurately match the traffic characteristics, and ensure that only real attacks are intercepted:
  1. Go to  Analysis & Logs > Attack Logs  page
  2. Select DDoS Protection-Policy Name equals Adaptive DDoS Protection by filter
  3. Expand hit rule details to view specific rule information, request information, and client information

Backtrack the deployment of the rules

Because attackers tend to bypass defenses by constantly changing attack signatures, and to reduce the risk of  false interception when there is no attack, adaptive protection rules are generated only during attacks and automatically deleted 15 minutes after attacks stop. If you analyze that a certain protection rule can effectively protect against multiple attacks, you can manually configure it into  Custom Rules  or  Rate Limiting  according to the rule information description to continuously protect the website. You can view the rule deployment history by:

  1. Go to Change History Page
  2. Select Security Policy - DDoS Protection, Change Type - Add by filter
  3. In the list, view the system operator, and click change details to display the Adaptive Protection rules issued during the attack period
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!