Creating a Filter

Seven types of filters are available for static filtering based on the user-defined keyword and action for matched packets.

Procedure

Choose Defense > Policy Settings > Filter.
Click .

On the Basic Information tab page, configure basic information about the filter. Table 1 lists parameters and Table 2 lists keywords.

**Table 1** Basic information about the filter
Parameter	Description	Value
Name	Indicates the name of a filter.	-
Device Type	Collect Device Type.	AntiDDoS, NFA, ALL.
Protocol	Indicates a protocol type.	-
Operation	Indicates an action for matched packets.	Discarding: discards the packets that match the keyword. Discard+Blacklist: discards the packets that match the keyword and blacklists their source IP addresses. Permitting: permits only the packets that match the keyword. Pass+Whitelist: permits the packets that match the keyword and whitelists their source IP addresses. Rate Limiting: limits the rate of packets that match the keyword below Threshold(pps). Source limiting: limits the rate of packets sent by a single source below Threshold(pps). Source detection: performs source detection when packets match the specified keyword. Only HTTP filters have the source detection function.

Click the Keyword tab and configure keywords.

**Table 2** Keyword content
Keyword		Description	Value
source-ip	IP address	Indicates the source IP address and subnet mask of a packet. Both IPv4 and IPv6 addresses are supported.	You can configure a maximum of 1000 source IP addresses on each filter and that of 20,000 source IP addresses on each cleaning device.
source-ip	mask
destination-ip	IP address	Indicates the destination IP address and subnet mask of a packet. Both IPv4 and IPv6 addresses are supported.	You can configure a maximum of 100 destination IP addresses on each filter and that of 2000 destination IP addresses on each cleaning device.
destination-ip	mask
packet-length	min	Indicates the packet length range.	You can configure a maximum of 32 packet lengths for each filter. Any packet matches the filter only if one specified packet length is hit.
packet-length	max	Indicates the packet length range.
ttl	ttl	Indicates the Time To Live (TTL) of a packet.	You can configure a maximum of 32 TTL values for each filter.
fingerprint	offset	Indicates the number of offset bytes starting from the first bit of the packet data.	For example, when Content is set to 1234afee, Offset to 20, and Check Depth to 8, and the data content from the 21th byte to the 32th byte matches 1234afee, the packet matches the fingerprint. The formula is "32 = 20 + 4 (fingerprint length) + 8 (check depth)". A fingerprint contains 2 to 128 characters and can be a character string or a group of hexadecimal numbers. The default format is a character string. If the hexadecimal format is used, each byte contains two hexadecimal numbers and a \x must be added before the start byte. You can configure a maximum of 10 fingerprints for each filter, and a maximum of 4 parts for each fingerprint. You can configure a maximum of 512 parts for each device.
	content	Indicates the fingerprint content.
	depth	Indicates the depth that determines the range of fingerprint matching.
protocol	protocol	Indicates the protocol type of a packet.	You can configure a maximum of 32 packet protocols for each filter.
dscp/fragment	dscp/fragment	Indicates the field of an IP packet.	You can configure a maximum of 32 DSCPs for each filter and 5 fragments for each filter.
tcp-flag	TCP flag	Indicates the flag bit of a TCP packet.	You can configure a maximum of 16 TCP flags for each filter.
destination-port	start port	Indicates the range of the destination ports of packets.	You can configure a maximum of 32 destination ports for each filter.
destination-port	end port	Indicates the range of the destination ports of packets.
source-port	start port	Indicates the source port range.	You can configure a maximum of 32 source ports for each filter.
source-port	end port	Indicates the source port range.
opcode/cookie/host/refere/user-agent	opcode/cookie/host/referer/user-agent	Indicates the field of an HTTP packet.	ASCII characters and hexadecimal characters are supported. Each character string contains a maximum of 64 bytes. You can configure a maximum of 128 opcode keywords or a maximum of 512 cookie/host/referer/user-agent keywords for each device.
uri	URI	Indicates the type of an HTTP request packet.	You can configure a maximum of 512 URI keywords for each HTTP filter, and a maximum of 512 for each device.
qr	qr	Indicates the type of a DNS packet.	Both DNS query and DNS reply types are available.
domain	domain	Indicates the domain field of a DNS packet.	include: indicates a fuzzy match. DSN packets are matched only if the domain field contains the matched content. equal: indicates an exact match. Packets are matched only if the domain field is the same as the matched content. You can configure a maximum of 512 domain keywords for each HTTP filter, and a maximum of 512 for each device.
type	type	Indicates the type field of a DNS packet.	You can configure a maximum of 10 type keywords for each DNS filter.
caller/callee	Caller/Callee	Indicates the field of a SIP packet.	You can configure a maximum of 512 Caller/Callee keywords for each SIP filter, and a maximum of 512 for each device.

Bind a Zone to the filter.
1. Click the Associated Zone tab.
2. Click , select a Zone, and click OK.
  Only the Zones whose Deployment State is Deploy Succeed are displayed on the page. Ensure that the Zone to be bound has been deployed.
Two modes are available for binding a Zone to a filter. For details, see Associating a Zone with a Filter.
Click Deploy.
- When the Zone is associated with the filter and you click Deploy, the filter is deployed on the AntiDDoS and configurations take effect.
- When only the filter is created and you click Deploy, filter configurations are saved on the ATIC Management center. They take effect only after the filter is associated with the Zone and is deployed again.