Action and Security Level

最終更新日:2024-06-13 16:41:14

The managed rule set is managed and pushed uniformly by CDNetworks. You can adjust the actions and security levels of these managed rules.

Action

The actions of managed rules are predetermined by CDNetworks. Depending on the purpose of each rule, different optional and default actions are set.

Action Action Description Corresponding Rule Purpose
Deny Deny request by a default 403 response. Used to deny known attack patterns or IPs that make high-rate requests.
Log Log request and continue further detections. Used to monitor known attack patterns or IPs that make high-rate requests.
DDoS Managed Challenge Adaptively respond Cookie or Javascript challenge action based on requesting content type, available only for some of DDoS managed rules. Used to detect and mitigate large-scale application-layer DDoS attacks, protecting the source station.
Deny Connection* Reset established TCP connections with client and do not recieve new connections from the same client IP. Used to mitigate ultra-large-scale application-layer DDoS attacks, protecting the mitigation node infrastructure.

About Refusing Connection:

  1. When the application layer DDoS attack scale is ultra-large, it may affect the performance of the mitigation node infrastructure. The Cloud Security Platform will automatically block the IP that repeatedly launches attacks at the network layer, enabling us to automatically mitigate application layer DDoS attacks on a large scale.
  2. The security policy scope analyzed by the managed rule for “Deny Connection” includes: IP/Geo Block, DDoS Protection, Rate Limiting, Custom Rules. In these four functions, IPs that repeatedly attack will be directly blocked at the network layer.

Security Level

The security level defines the effective scenarios of each managed rule. The managed rules do not take effect normally (the managed rules with known attack characteristics will take effect by default), and will only adaptively take effect when the DDoS Adaptive Protection Engine(DAPE) detects an application layer DDoS attack. This can minimize the impact of managed rules affecting normal user access.

Security Level Effective Scenario Purpose
Default On Managed rules take effect by Default. Managed rules from known attack characteristics have very high accuracy and low false positive risks. It’s recommended to keep these managed rules at the “Default On” security level.
Enable During Attack When the protection mode is “Automatic”, the managed rule is adaptively effective1; when the protection mode is “I’m Under Attack!”, the managed rule is effective by default. For managed rules that deny high-rate request IPs or perform DDoS Managed Challenge for web page requests, in order to reduce the risk of false positive, it is recommended that you keep these managed rules at the “Enable During Attack” security level.
Essentially Off The managed rules do not take effect by default, but when the hostname is attacked and affects the mitigation infrastructure2, the managed rules will still take effect. In order to ensure that managed rules can also take effect normally to protect the mitigation node infrastructure during ultra-large-scale attacks, it is usually recommended to set the security level to “Essentially Off” instead of “Not Used”.
Not Used Managed rules do not take effect. For managed rules that clearly do not match normal business and will cause large-scale false positive of normal users, you can set the security level of the corresponding managed rules to “Not Used”. Also through the Custom Rules or Rate Limiting features, manually configure protection rules suitable for your business.
  1. adaptively effective1: Under the “Automatic” protection mode, the managed rules do not take effect by default. However, when the DDoS Adaptive Protection Engine(DAPE) detects that the hostname is under attack, the managed rules of “Enable During Attack” take effect in real-time. When the DDoS Adaptive Protection Engine detects that the hostname attack has stopped, the managed rules of “Enable During Attack” will automatically stop being effective.
  2. affects the mitigation infrastructure2: When the intelligent protection engine detects that the hostname is under attack and the attack scale has already affected the mitigation node performance, the managed rules of “Essentially Off” will take effect in real-time. When the DDoS Adaptive Protection Engine detects that the attack scale of the hostname has dropped or stopped, the managed rules of “Essentially Off” will automatically stop being effective.