Manage CC protection policies

Last updated: 2020-02-17 10:27:15

PDF

DDoS High Defense IP supports HTTP/HTTPS CC protection. When the number of HTTP/HTTPS requests counted by High Defense IP exceeds the set [http/https request threshold], HTTP/HTTPS CC defense will be triggered automatically.
DDoS High Defense IP provides the function of setting Access control policy. By enabling the HTTP/HTTPS CC protection feature, users can use the fields of common HTTP/HTTPS messages (such as host parameters, CGI parameters, Referer and User-Agent, etc.) to set matching conditions, manage and control the Access requests of public network users, and perform blocking and man-machine identification actions on requests for hit conditions. Users can also set speed limit rules and perform speed limit processing on Access IP.
DDoS High Defense IP also supports URL whitelist, IP whitelist and IP blacklist policy configuration:

  • The URL, in the whitelist and its Access request will not need to perform CC attack detection and will be directly detected by pass.
  • The whitelist IP, and its HTTP/HTTPS Access request will not need to perform CC attack detection and will be directly detected by pass.
  • The request of Access, the HTTP/HTTPS of IP, on the blacklist, will be rejected directly.

Enable CC protection

HTTP CC protection

  1. Login DDoS Protection Management console In the left navigation, select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the defense configuration page, click * * CC Defense * *, and select the target instance.
  2. In the "HTTP CC Protection" area, click on the right side of "Protection status" To enable HTTP CC defense, click Drop-down list on the right of * * threshold of http requests * * to select the appropriate threshold.

The CC defense status is turned off by default. The threshold for the number of HTTP requests can only be set when the defense status is enabled.

HTTPS CC protection

  1. Login DDoS Protection Management console In the left navigation, select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the defense configuration page, click * * CC Defense * *, and select the target instance.
  2. In the "HTTPS CC" area, select the protection domain name, and click "Protection status" to the right. To enable HTTPS CC defense, click Drop-down list on the right of * * threshold of https requests * * to select the appropriate threshold.

The CC defense status is turned off by default. The threshold for the number of HTTPS requests can only be set when the defense status is enabled.

Custom CC protection policy

  • You need to enable HTTP/HTTPS CC defense before you can set custom CC defense policies. A maximum of 5 can be added.
  • The custom policy takes effect only if the high defense IP is being attacked.
  • In matching mode Each custom policy can be set up to 4 Each policy condition carries on the feature control, and the relationship between the multiple conditions is "and", which requires all the conditions to match before the policy takes effect.
  • In speed limit mode Each custom policy can only be set 1 Policy conditions.
  1. Login DDoS Protection Management console In the left navigation, select * * DDoS High Defense IP * *-> * * Defense configuration * *, go to the defense configuration page, click * * CC Defense * *, select a region and route, select the destination instance, and click * * add Access Control Policy * *.
  2. In the "add Access Control Policy" pop-up box, set the following parameters according to the actual business requirements, and click "OK".
  • Policy name
    Enter policy name, which consists of 1-20 characters. Character type is not restricted.
    -Protocol
    Currently, two kinds of Protocol, HTTP and HTTPS, are supported.
    -protected domain name
    You need to select the corresponding protected domain name only if you select HTTPS Protocol. The range of protected domain names that can be selected is equal to the domain name of the website belonging to HTTPS Protocol in the repost rules that have been configured.
    -Mod
    -matching pattern: match the request to the corresponding field header of HTTP / HTTPS, and perform Block or man-machine identification operation.
    -Speed limit mode: perform speed limit on the source IP Access, HTTPS Protocol does not support the selection of speed limit mode .
    -Strategy
  • Protocol is HTTP when [matching mode] is selected. The combination of host parameter, CGI parameter, Referer and User-Agent of HTTP message is supported, and the combination logic includes include, exclude and equal. Up to 4 policy conditions can be set for feature control. If When Protocol was HTTPS The combination of CGI parameters, Referer and User-Agent features of HTTPS messages is supported, and the combination logic includes include, do not include and equal to. You can set up to 3 policy conditions for feature control. The fields are described as follows:
    Matching Field Field description Applicable logical characters
    Host The domain name requested by Access. Include, do not include, equal to
    CGI The URI address requested by Access. Include, do not include, equal to
    Referer The source URL of Access's request indicates from which page Redirect generated the Access request. Include, do not include, equal to
    User-Agent Related information such as the identity of the client browser that initiated Access's request. Include, do not include, equal to
    -when selecting "speed limit mode", Access is processed with speed limit for each source IP. Only 1 policy condition is allowed to be set.
  • Execution

This parameter needs to be set only if match Mode is selected. Indicates the processing actions to be performed after the policy matches, including Block and CAPTCHA.

Set up Blacklist/Whitelist

  1. Login DDoS Protection Management console In the left navigation, select * * DDoS High Defense IP * *-> * * Defense configuration * *, go to the Defense configuration page, click * * CC Defense * *, select a region and route, and select the destination instance.
  2. Check * * HTTP * * or * * HTTPS * * on the right side of the page, and select * * URL whitelist * *, * * IP whitelist * * or * * IP Blacklist * * to configure Blacklist/Whitelist, support adding and modifying, and also supporting batch import of Export.