The defense policies for HTTPS services cover defense.
NOTE: The AntiDDoS identifies well-known protocols by port number. Non-HTTPS services with port 443 may be identified as HTTPS services and therefore be discarded when matching specific policies. Therefore, do not use well-known ports for other services.
Defense
HTTPS Source Authentication Defense
When Statistics Based on Source IP Address is enabled and the rate of HTTPS packets destined for the Zone is greater than Threshold, the system enables source IP address-based statistics, and reports anomalies to the ATIC Management center. When the rate of HTTPS packets from the IP address is larger than Threshold, the source authentication of HTTPS packets is enabled.
The source-based defense mode is Enhanced.
When Statistics Based on Source IP Address is disabled and the rate of HTTPS packets destined for the Zone is larger than Threshold, the system reports anomalies to the ATIC Management center.
You are advised to specify the Threshold through baseline learning. For details, see Configuring a Baseline Learning Task.
NOTE: After defense against anomaly events is enabled, the cleaning device uses the source authentication mode for defense.
The source IP address that fails authentication is regarded as the attack source and is reported to the ATIC Management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC Management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
The session is closed after successful authentication. The page needs to be manually refreshed, which affects user experience.
SSL Defense
After HTTPS source authentication defense is enabled, if the rate of the HTTPS packets destined for the specified IP address exceeds Threshold, the system performs SSL checks on the source IP address of the packets. Within the interval specified in Renegotiation Interval, if the number of SSL negotiations between a source IP address and a destination IP address exceeds Maximum Renegotiation Times, the session in between is marked as abnormal. Within the interval specified in Abnormal Session Check Interval, if the number of abnormal sessions exceeds the value specified in Maximum Number of Abnormal Sessions, the source IP address is regarded as abnormal and therefore blacklisted.