Set DDoS Policies
最終更新日:2026-03-25 10:09:22
Once you enable DDoS protection, CDNetworks will automatically detect and mitigate DDoS attacks on your website. You can adjust and optimize the DDoS protection policies as needed.
Steps
- Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
- Go to Security Settings > Policies.
- Find the hostname to be configured, click
. - Go to DDoS Protection tab.
Configure L3/4 DDoS Protection
To protect the platform infrastructure and the availability of all customers, this protection is turned on by default and cannot be turned off.
Configure L7 DDoS Protection
Choose the Protection Level
After enabling L7 DDoS protection, you need to select the appropriate protection Level according to the requirements for different business scenarios. The attack detection sensitivity and AI rule generation threshold will be affected depending on the protection level. Please refer to the following table:
| Level | Protection Effect | Application Scenario | Attack Detection Sensitivity | Generation Threshold of AI-related Rules |
|---|---|---|---|---|
| Loose | By default, the AI engine blocks specific malicious attacks that are already known, and it starts adaptive protection when the website availability is significantly reduced due to attacks. The probability of false positives is extremely low. | It is suitable for websites with high-volume requests and strong processing capabilities, or special business activity scenarios. | Low (Required when the system detects a significant drop in the origin availability) | Middle |
| Moderate (Recommended) | It can effectively protect against common malicious attacks and adapt to most business scenarios. | It is suitable for websites with stable request volume and normal business processing capabilities. | Middle | Middle |
| Strict | Enable strict protection policies for malicious attacks, which may lead to partial false blocking. | It is suitable for websites with low-volume requests and weak processing capabilities, or suitable for business scenarios with strict traffic scrubbing requirements. | High | High |
Note: Since the AI engine automatically determines whether a hostname is under CC attack based on metrics such as the request volume and availability of the hostname, and the business activity scenario is often accompanied by high request volume, there is a high possibility of false positives, and it is recommended to conduct pre-event manual adjustments to the policies to reduce false positives.
Configure Managed Rules
It is recommended to enable “Managed Rule Protection” by default and leave the related action and rule mode with default settings.
Adjust Action or Security Level
In cases of business scenarios of legitimate traffic surges (e.g., big sales, new product launch), false blocking can be mitigated by adjusting the configuration items of the managed rules. The main types of configuration items are as follows:
- Action - When the request matches the managed rule, the system automatically performs protective actions against it. See below:
| Action | Description |
|---|---|
| Deny | Block request and respond with 403 |
| Log | Only recorded in logs with no other request handling |
| DDoS Managed Challenge | Dynamically select Cookie challenge or JavaScript challenge for request validation |
| Deny Connection | Release the established TCP connections with clients and reject new connections |
- Rule Mode - defines the effective scenario of built-in rules. The Adaptive Protection engine can adaptively switch the rule mode. See below:
| Rule Mode | Description |
|---|---|
| Default On | Always in effect regardless of whether an attack is detected |
| Enable During Attack | When the intelligent engine detects an attack on a hostname, it enables the rules for this mode |
| Essentially Off | Only when the intelligent engine detects that the hostname has been attacked and the scale of the attack has affected the performance of the node infrastructure, the rules of this mode take effect |
| Not Used | Never take effect regardless of whether an attack is detected |
Add App/API Exceptions
The Managed Rules for handling actions as DDoS Managed Challenge may not be applicable to the APP/API business and cause false blocking, so it is recommended to make exceptions for the features of APP/API requests.
Specific configuration methods refer to: Set App/API Exceptions.
Configure Adaptive Protection
When Adaptive Protection is enabled, the engine will automatically release corresponding protection rules according to the selected protection level and attack features. Usually, it is recommended to enable this function and keep it in the protection mode in order to achieve the best protection effect.
Adjust Protection Modes
If it is needed to monitor and analyze traffic features in advance, or to reduce the risk of false blocking in case of any attack, you can adjust the relevant intelligent protection mode based on the actual business requirements. The selection of the mode will determine the action of the rules released by the engine, and the comparison relationship and specific description are shown in the following table:
| Mode | Corresponding Action | Description |
|---|---|---|
| Protect (Default) | Deny | The rules directly block requests that hit the rules |
| Protect (Managed) | DDoS Managed Challenge | Based on the request features of the web client, the system adaptively triggers the cookie or JavaScript challenges, so as to effectively reduce the false blocking rate in this scenario |
| Monitor | Log | Only requests that hit the rule are logged in the attack log, where detailed attack information will be recorded. |
View Adaptive Protection Rules
The DDoS Adaptive Protection engine automatically generates or removes protection rules based on the threat level of the attack, without manual intervention. To view the automatically generated intelligent protection rules, operate as follows:
Rule Naming
By viewing the name of the intelligent protection rule, you can quickly locate the attack type in the operation scenario. Rule naming method: AI_
View the Requests That Hit the Adaptive Protection Rule
- During an attack, view the rules that are currently in effect
If the current attack is occurring and Adaptive Protection has been triggered, you can directly view the currently generated protection rules in Security Policy> DDoS Protection page, L7 DDoS Protection > Adaptive Protection list - View Details of Requests That Hit Rules Through the Attack Log
If you want to analyze the request logs hit by rules, verify whether the rules accurately match the traffic features, and ensure that only real attacks are intercepted:
- Go to Analysis & Logs > Attack Logs page
- Select DDoS Protection-Policy Name equals Adaptive DDoS Protection by filter
- Expand hit rule details to view specific rule information, request information, and client information
Backtrack the Deployment History of Rules
Because attackers tend to bypass defenses by constantly changing attack signatures, and to reduce the risk of false interception when there is no attack, adaptive protection rules are generated only during attacks and automatically deleted 20 minutes after attacks stop. If you analyze that a certain protection rule can effectively protect against multiple attacks, you can manually configure it into Custom Rules or Rate Limiting according to the rule information description to continuously protect the website. You can view the rule deployment history by:
- Go to Change History Page.
- Select Security Policy - DDoS Protection, Change Type - Add by filters.
- View the items of “operator” listed as “system”, and click Change Details to display the Adaptive Protection rules issued during the attack period.