Configuring Cleansing

Last updated: 2019-11-13 16:32:29

PDF

Log in to Anti-DDoS Console, choose Anti-DDoS Pro -> Protection Configuration, and select the target instance from the drop-down list. In the DDoS Protection section, configure Protection Status, Cleansing Threshold, Protection Level, Scenario, and Advanced Policy.

The configuration items are visible only when Protection Status is . If you disable the protection, the configuration items will be hidden and do not take effect. After you enable the protection again, the items will be visible and retain the original configuration.

  • Protection Status

    You can enable or disable the protection as required. You can set the duration for disabling the protection. Currently, the duration is 1-6 hours. The protection automatically takes effect after the set duration or when the attack traffic exceeds 1 million pps or 2 Gbps.

  • Cleansing Threshold

    Indicates the the threshold to trigger cleansing. If the traffic is below the threshold, the cleansing operation is not executed even if attacks are detected.

    If you have a clear concept about the threshold, set it as required. Otherwise please leave it to the default value. Anti-DDoS will automatically learn through AI algorithms and generate the default threshold for you.

  • Protection Level

    You can set the protection level as required. The following table details the operations for each protection level.

    Protection Level Protection Operation Description
    Loose
    • Filters SYN and ACK data packets with explicit attack attributes
    • Filters TCP, UDP, and ICMP data packets that are not compliant with the protocol specification.
    • Filters UDP data packets with explicit attack attributes
    The cleansing policy is loose and only protects against explicit attack packages.
    It’s recommended only to use this mode when requests are misblocked. Attack packets may pass through the security system in case of complex attacks.
    Normal
    • Filters SYN and ACK data packets with explicit attack attributes.
    • Filters TCP, UDP, and ICMP data packets that are not compliant with the protocol specifications.
    • Filters UDP data packets with explicit attack attributes.
    • Filters common attack UDP data packets.
    • Actively verifies the source IPs of some access attempts.
    The cleansing policy applies to most services and effectively protects against common attacks.
    The normal mode is configured by default.
    Strict
    • Filters SYN and ACK data packets with explicit attack attributes
    • Filters TCP, UDP, and ICMP data packets that are not compliant with the protocol specification
    • Filters UDP data packets with explicit attack attributes
    • Filters common UDP-based attack packages
    • Actively verifies the source IPs of some access attempts
    • Filters ICMP attack packages.
    • Filters common UDP attack data packets.
    • Strictly checks UDP data packets.
    The cleansing policy is strict. It’s recommended to use this mode when attack packets pass through the security system the Normal mode.

    If you need to use UDP protocol, please contact Tencent Cloud Technical Support to formulate a policy to avoid impact on business operations when in strict mode.

  • Scenarios

    Select a matching one from the created scenarios, and modify its configuration as required. After you have selected a scenario, the corresponding advanced policy will automatically match the policy generated for the scenario.

  • Advanced Policy

    You can select a matching one from the created advanced policies as required. You can also modify an existing advanced policy.