The defense policies for HTTP services cover defense.
NOTE: The AntiDDoS identifies well-known protocols by port number. Non-HTTP services with port 80 may be identified as HTTP services and therefore be discarded when matching specific policies. Therefore, do not use well-known ports for other services.
Defense
HTTP attack defense
When Statistics Based on Source IP Address is enabled and the rate of HTTP packets destined for the Zone is greater than Threshold or Request Threshold, the system enables source IP address-based statistics, and reports anomalies to the ATIC Management center. When the rate of HTTP packets from the IP address is larger than Threshold or Request Threshold, the source authentication of HTTP packets is enabled.
The source-based defense mode can be 302 Redirect, Verify Code, Cookie Authentication or JavaScript.
When Statistics Based on Source IP Address is disabled and the rate of HTTP packets destined for the Zone is larger than Threshold or Request Threshold, the system reports anomalies to the ATIC Management center.
If the defense mode of the Zone is automatic, the system starts defense automatically. If the defense mode is manual, the administrator needs to confirm and start the defense manually. For details on how to configure the defense mode, see Configuring a Defense Mode.
You are advised to specify the Threshold or Request Threshold through baseline learning. For details, see Configuring a Baseline Learning Task.
NOTE: Threshold indicates that the device collects statistics on all HTTP packets, including SYN, SYN-ACK, and ACK packets of TCP connections. Request Threshold indicates that the device collects statistics on the HTTP packets (such as GET and POST packets) except SYN, SYN-ACK, and ACK packets. As long as the traffic volume reaches one of the thresholds, the defense is triggered.HTTP Source Authentication Defense
For parameters, see Table 1.
Table 1 Parameters of configuring HTTP source authentication Parameter Description Value Defense Mode Indicates the defense mode that the cleaning device defends against HTTP attack sources.
- 302 Redirect: If the requested web page is not on the same server as the embedded resource and an anomaly occurs on the server where the embedded resource resides, enable 302 redirection on the server where the embedded resource resides to detect whether the source is a real browser. 302 redirect source authentication does not affect customer experience.
Verify Code: This mode detects whether HTTP access is initiated by a real user and requires a verification code. When botnet attacks are launched, the attackers cannot enter the verification code and hence are effectively defended against. However, user experience is affected.
If the client of the HTTP service is a set-top box, select the 302 Redirect defense mode because the set-top box cannot enter any verification codes.
- Cookie Authentication: This mode can effectively block access from non-browser clients. If a server request is abnormal, the cookie recording function of real browsers can be used to check the reality of the access source.
- JavaScript: If the web page that a user requests or the server of the resource embedded in a web page is abnormal, the JavaScript redirection function can be used to check the reality of the access source. A real browser can execute JavaScript to automatically implement redirection without affecting customer experience.
Verification Code Caption Settings When you set Defense Mode to Verify Code, the AntiDDoS automatically pushes a verification code page, on which you can set the verification code caption.
-
Proxy Detection Check whether HTTP requests are sent through the proxy.
If yes, the system obtains the real IP address from HTTP packets for defense. The defense against attacks with real IP addresses ensures that normal requests are properly processed and attack traffic is discarded.
You are advised to enable proxy detection if any HTTP proxy exists.
User-defined HTTP Proxy Keyword Keyword for configuring a custom HTTP proxy.
-
Source Authentication Termination Condition
Attempt Time, Maximum Number of Attempts
Limits the maximum number of HTTP redirection attempts.
After the HTTP source authentication defense is enabled and the number of the authentication attempts of a source IP address exceeds Maximum Number of Attempts within Attempt Time, the source IP address is regarded as an attack source and is reported to the ATIC Management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC Management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
Otherwise, the ATIC Management center adds the source IP address to the whitelist.
SYN Rate Limiting
Threshold
If the rate of HTTP packets whose source IP addresses succeed in source authentication exceeds Threshold, the device takes limiting.
Limits the number of connections.
-
ACK Rate Limiting
Threshold
If the rate of HTTP packets whose source IP addresses succeed in source authentication exceeds Threshold, the device takes limiting.
Limits the rate of HTTP get packets.
-
HTTP First Packet Check
If the interval is smaller than the specified lower limit or greater than the specified upper limit, the anti-DDoS device considers the packet as the first packet and discards it. If the interval is between the lower limit and upper limit, the anti-DDoS device considers the packet as a subsequent packet and permits it.
HTTP Fingerprint Learning
Within the learning cycle, the number of requests with the same fingerprint and from the same source IP address exceeds Matching Counts, the source IP address is regarded as an attack source and is reported to the ATIC Management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC Management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
HTTP low-rate connection attack defense
If the number of HTTP concurrent connections per second exceeds the given value, the device checks the HTTP packets. If any of the following situations occurs, the protected network is under HTTP low-rate connection attacks. The device reports the source IP address of the attack packets to the ATIC Management center. If the dynamic blacklist of the Zone is not Disable, the system automatically adds the IP address of attack packets to the dynamic blacklist and terminates the connection between this IP address and the HTTP server.
- The total length of consecutive HTTP post packets exceeds the given value, but the HTTP payload length is less than the given value.
- The headers of consecutive HTTP get/post packets do not have any end flags.
For parameters, see Table 2.
Table 2 Configuring HTTP low-rate connection attack defense Parameter Description Number of concurrent connections
Check the number of HTTP concurrent connections per second. If the count exceeds the given value, the system checks each HTTP packet.
Total packet length
If either of the following situations occurs, the system is under HTTP low-rate connection attacks.
- The total length of consecutive HTTP post packets exceeds the given value, but the HTTP payload length is less than the given value.
- The headers of consecutive HTTP get/post packets do not have any end flags.
Packet number
Payload length
Destination IP-based URI Behavior Monitoring
For parameters, see Table 3.
Table 3 Parameters of configuring destination IP-based URI behavior monitoring Parameter Description Value Destination IP-based URI Behavior Monitoring Detection Threshold Within the Interval, if the ratio of the Closely monitored URI access counts (to a destination IP address) to the total access counts exceeds Detection Threshold, the URI behavior monitoring is enabled on source IP addresses.
You are advised to configure Detection Threshold based on baseline learning. For details, see Configuring a Baseline Learning Task.
Source IP-based URI Behavior Monitoring Defense Threshold Within the Interval, the ratio of the Closely monitored URI access counts of a source IP address to the total access counts exceeds Defense Threshold, the source IP address is regarded as an attack source and is reported to the ATIC Management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC Management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
-
Closely monitored URI - Closely monitor URIs when URI behavior monitoring is used for defending against HTTP flood attacks.
Two matching modes are available: precise and fuzzy.
Precise: The monitored URI string is exactly the same as the configured URI string for monitoring.
Fuzzy: If the monitored URI string contains the URI string configured for monitoring, the matching is successful.
-