The defense policies for HTTPS services cover defense.
NOTE: The AntiDDoS identifies well-known protocols by port number. Non-HTTPS services with port 443 may be identified as HTTPS services and therefore be discarded when matching specific policies. Therefore, do not use well-known ports for other services.
Defense
HTTPS Source Authentication Defense
When Statistics Based on Source IP Address is enabled and the rate of HTTPS packets destined for the Zone is greater than Threshold, the system enables source IP address-based statistics, and reports anomalies to the ATIC Management center. When the rate of HTTPS packets from the IP address is larger than Threshold, the source authentication of HTTPS packets is enabled.
The source-based defense mode is Enhanced.
When Statistics Based on Source IP Address is disabled and the rate of HTTPS packets destined for the Zone is larger than Threshold, the system reports anomalies to the ATIC Management center.
You are advised to specify the Threshold through baseline learning. For details, see Configuring a Baseline Learning Task.
SSL Defense
After HTTPS source authentication defense is enabled, if the rate of the HTTPS packets destined for the specified IP address exceeds Threshold, the system performs SSL checks on the source IP address of the packets. If Check sessions is selected, the system checks session validity. Within the interval specified in Renegotiation Interval, if the number of SSL negotiations between a source IP address and a destination IP address exceeds Maximum Renegotiation Times, the session in between is marked as abnormal. Within the interval specified in Abnormal Session Check Interval, if the number of abnormal sessions exceeds the value specified in Maximum Number of Abnormal Sessions, the source IP address is regarded as abnormal and therefore blacklisted.
SSL Decryption Defense
SSL decryption defense is implemented by Statistics Based on Source IP Addresses. When the rate of HTTPS packets destined for a destination IP address is greater than the value of Packet Rate Threshold for Statistics Based on Destination IP Addresses, the function of statistics based on source IP addresses is enabled. When the traffic rate exceeds Source IP Address Decryption Threshold, HTTPS Fingerprint Learning and Statistics on Server Return Codes are triggered. If an IP address matches Statistics on Server Return Codes for a specified number of times, it will be dynamically blacklisted, and an anomaly event is reported to the ATIC. If an IP address matches HTTPS Fingerprint Learning for a specified number of times, it will be dynamically blacklisted, and an anomaly event is reported to the ATIC.
NOTE: - Before selecting SSL Decryption Defense, you must enable SSL decryption defense in the global configuration. For details, see SSL Decryption Defense.
- SSL decryption defense does not support IPv6 packets.