Set DDoS Policies

最終更新日:2024-06-13 16:41:17

Distributed Denial of Service (DDoS) attacks are malicious acts where attackers control zombie networks/proxy devices, etc., to send a large amount of requests or data to the target website or server. This results in slow loading when normal users access the website, or even completely unable to access. CDNetworks’s DDoS protection relies on the advantages of CDN resources, combined with big data analysis, independently developed protection algorithms, real-time detection and cleaning of all kinds of DDoS attacks, ensuring the website can remain stable online even in the face of large-scale DDoS attacks.

Once you turn on DDoS protection, the Cloud Security Platform will automatically detect and mitigate DDoS attacks on your website. You can also adjust and optimize the DDoS protection policies as needed.

1. Set L3/4 DDoS Protection

The Cloud Security Platform automatically detects and mitigates OSI Model 3/4 layer DDoS attacks by default, including SYN Flood, ACK Flood, ICMP Flood, UDP Flood, various reflection attacks (such as NTP reflection, Memcache reflection, SSDP reflection), etc. To protect the platform infrastructure and the availability of all customers, this protection is turned on by default and cannot be turned off.

2. Set L7 DDoS Protection

L7 DDoS Protection includes two protection modules, Managed Protection and Adaptive DDoS Protection, both governed by CDNetworks’s independently developed DDoS Adaptive Protection Engine (DAPE). The engine automatically monitors whether the website is subjected to application layer DDoS attacks, and adapts managed rules or dynamically generates adaptive protection rules based on the intensity of the attack, indicators of source station availability, etc.

L7 DDoS Protection Process:

  1. When L7 DDoS Protection is turned on, as your website traffic connects to the Cloud Security Platform, the DDoS Adaptive Protection Engine will immediately begin baseline learning. To ensure the accuracy of baseline learning, it generally takes 2-3 hours to complete.
  2. The DDoS Adaptive Protection Engine monitors the website in real-time based on the business baseline to detect if it is under an application layer DDoS attack. When an attack is detected, the managed rules will be activated adaptively at CDNetworks’s distributed edge nodes to block most attack traffic. The most cost-effective mitigation can be applied here.
  3. When the managed rules do not completely block the attack, and the availability of the source station is still threatened, precise adaptive protection rules will be automatically generated to protect the source station.

To configure L7 DDoS Protection page:

  1. Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
  2. Go to Web&API Protection > Policies.
  3. Find the hostname for which you want to configure security policies, click [New Feature] WAF Rule Template .
  4. Go to DDoS Protection tab. If L7 DDoS Protection is off, turn it on.

2.1 Choosing the Appropriate Protection Mode

L7 DDoS Protection offers two protection modes: “Automatic” and “I’m Under Attack!” The table below describes the protective effects and application scenarios of the two protection modes, you can choose different protection modes according to your actual application scenario. If you are unsure, it is recommended to maintain the default “Automatic” protection mode first.

Protection Mode Protection Effect Application Scenario Managed Rule Activation Logic Adaptive Protection Rule Generation
Automatic (Recommended) DDoS Adaptive Protection Engine monitors if DDoS attack happens, then takes effect of the managed rules accordingly, as well as dynamically generates adaptive protection rules. It is recommended as the default mode which has an extremely low false positive. Only the “Default On” managed rules are effective in normal times. When the DDoS Adaptive Protection Engine detects abnormal website traffic, the “Enable During Attack” managed rules will automatically activate. If the scale of the attack affects the infrastructure of the mitigation nodes, the “Essentially Off” managed rules will also automatically activate to protect the infrastructure of the mitigation nodes. For more on security levels, Learn More. The DDoS Adaptive Protection Engine automatically learns the business request baseline of the website, and when it detects that the website is under attack and the attack may affect the performance of the source station, automatically generates protection rules to protect the website business.
I’m under attack! Difference from Automatic mode: The managed rules of security level “Enable During Attacks” takes effect permanently, and the adaptive DDoS protection rules will be stricter. It may cause some false positives, recommended for frequently attacked websites and poor-capacity origins. The “Default On” and “Enable During Attack” managed rules are activated by default. When the DDoS Adaptive Protection Engine detects abnormal website traffic and if the scale of the attack affects the infrastructure of the mitigation nodes, the “Essentially Off” managed rules will also automatically activate to protect the infrastructure of the mitigation nodes. For more on security levels, Learn More. The DDoS Adaptive Protection Engine automatically learns the business request baseline of the hostname, and when it detects that the website is under attack and the attack may affect the performance of the source station, automatically generates stricter protective rules to protect the website business.

2.2 Set Managed Protection

The CDNetworks’s security team mitigates application layer DDoS attacks with a set of common managed protection rules accumulated from continuously tracking the latest threats and summarizing platform attack event handling experiences. These rules are updated periodically to help you deal with the latest attack threats. To ensure the best protection effect, it is recommended that you keep the managed protection function turned on by default.

2.2.1. Adjust the Action or Security Level

The managed rules are managed and pushed by CDNetworks as a whole. You can adjust the action and security level of the managed rules. Usually, it is recommended that you keep the default action and security level of the managed rules.

If a managed rule is false positive, you can solve it by lowering the security level of the rule, such as changing from “Enable During Attack” to “Essentially Off”. You can also adjust it according to your actual protection needs.

For more on actions and security levels, Learn More.

2.2.2. Adding App/API Exceptions

Managed rules with the action “DDoS Managed Challenge” will perform Cookie Challenge or JavaScript Challenge based on request characteristics, and is only applicable to Web/H5 webpage type websites. If your website is a native App/hybrid App/callback API or other businesses, you need to make an exception for the request characteristics of the App/API to avoid causing a large amount of false positive.

Type Description Need to add an exception? Note
Native App Use the official development languages, development libraries, and tools of Android and iOS Platform for development. For example, Android’s Java language and iOS’s object-c language. Generally no exceptions are needed. The managed rule whose action is “DDoS Managed Challenge” only takes effect for the browser’s User-Agent (Mozilla or Opera). If you are a native app and use the browser’s User-Agent, you need to add exceptions.
Hybrid App It uses the development technology of native app and also applies HTML5 development technology. It is a hybrid application of native and HTML5 technology. An exception is required. Exceptions should be made based on the characteristics of your hybrid APP. When native page requests and HTML5 page requests have distinctly different characteristics, it is recommended to only make exceptions for the characteristics of native page requests, such as User-Agent=AppName/1.0.0 (Android; 10; Pixel 3) okhttp/3.8.1.
Callback API When a certain event occurs, the system automatically calls the registered callback function to process the related data. Such as payment callback API, data sync callback API, etc. An exception is required. Exceptions should be made based on the characteristics of your callback API, such as URI=/api/callback.
Other Program API Other program APIs that do not support “DDoS Managed Challenge”. An exception is required. Exceptions should be made based on the characteristics of your program API, such as URI=/api/other.

Specific configuration methods refer to: Set App/API Exceptions

The configured App/API exceptions only apply to managed rules with the action “DDoS Managed Challenge”.

2.3 Set Adaptive Protection (Value Added Services)

Adaptive Protection is based on CDNetworks’s big data capabilities, by continuously learning the business request baseline of the website, combined with CDNetworks’s independently developed algorithm to identify abnormal attack requests, and when it detects that the attack may threaten the business of the source station, the DDoS Adaptive Protection Engine (DAPE) will automatically generate adaptive protection rules to mitigate application layer DDoS attacks.

The process of generating and invalidating adaptive protection rules:

  1. The DDoS Adaptive Protection Engine monitors the website in real-time based on the business baseline to detect if it is under an application layer DDoS attack. When the managed rules do not completely block the attack, and the availability of the source station is still threatened, precise adaptive protection rules will be automatically generated.
  2. If you have already set your website’s protection mode to “I’m Under Attack!”, the DDoS Adaptive Protection Engine will generate stricter adaptive protection rules to mitigate application layer DDoS attacks to the greatest extent possible.
  3. After the attack stops for 15 minutes, the adaptive protection rules will automatically expire and be cleared.

2.3.1. Adjusting Rule Actions

The rule actions of adaptive protection is the action set for all adaptive protection rules generated, there are two actions: “Deny” and “Log”. Usually, it is recommended that you keep the default rule actions as “Deny” to ensure the best protection effect. You can also configure it as “Log” first, attack rules will still be normally generated during an attack, but only attack logs will be recorded, requests will not be denied.

2.3.2. Viewing Adaptive Protection Rules

The DDoS Adaptive Protection Engine (DAPE) judges when to generate or delete protection rules based on the threat level of the attack, automatically handles attacks, and usually, you do not need to pay special attention.

If you wish to view adaptive protection rules, there are usually two ways:

1. View the currently active rules during an attack
If you are aware that an attack is occurring, you can directly view on the Security Policy > DDoS Protection page to see if there are any adaptive protection rules currently generated, the rules are prefixed with “L7DDoS_AI”.

2. After the attack stops, retrospective through attack logs
If you wish to retrospect the attack event and protection situation after the attack ends, you can go to the Analysis & Logs > Attack Logs page to query whether there were any adaptive protection rule blocked logs during the attack time period, and you can view detailed rule information in the expanded log details.

As attackers often bypass protection by constantly changing attack characteristics, and to reduce the risk of false positive when there is no attack, adaptive protection rules are designed to be generated only during attacks, and deleted 15 minutes after the attack stops. If you analyze that a historical protection rule can effectively protect against multiple attacks, and the risk of false positive is extremely low, you can manually configure the rule into Custom Rules or Rate Limiting for continuous protection of the website.