The defense policies for HTTP services cover defense.
- The AntiDDoS identifies well-known protocols by port number. Non-HTTP services with port 80 may be identified as HTTP services and therefore be discarded when matching specific policies. Therefore, do not use well-known ports for other services.
Defense
-
When the rate of HTTP packets destined for an IP address of the Zone exceeds the value of Request Rate Threshold Of Destination IP, HTTP flood defense is enabled for this destination IP address.
If the defense mode of the Zone is automatic, the system starts defense automatically. If the defense mode is manual, the administrator needs to confirm and start the defense manually. For details on how to configure the defense mode, see Configuring a Defense Mode.
You are advised to specify the Request Rate Threshold Of Destination IP through baseline learning. For details, see Configuring a Baseline Learning Task.
Request Rate Threshold Of Destination IP applies only to HTTP packets (such as GET and POST packets) except SYN, SYN-ACK, ACK, FIN, and RST packets. As long as the traffic volume reaches one of the thresholds, the defense is triggered.
HTTP Source Authentication Defense
For parameters, see Table 1.
Table 1 Parameters of configuring HTTP source authentication Parameter
Description
Value
Suspicious Source Challenge
Packets Rate Threshold
Performs challenge authentication on the suspicious source IP whose packets rate or request rate exceed the threshold.
-
Request Threshold
-
Defense mode
Indicates the defense mode that the cleaning device uses to defend against HTTP attack sources.
- 302 Redirect: If the requested web page is not on the same server as the embedded resource and an anomaly occurs on the server where the embedded resource resides, enable 302 redirection on the server where the embedded resource resides to detect whether the source is a real browser. This does not affect customer experience.
Verify Code: This mode detects whether HTTP access is initiated by a real user and requires a verification code. When botnet attacks are launched, the attackers cannot enter the verification code and hence are effectively defended against. However, user experience is affected.
If the client of the HTTP service is a set-top box, select the 302 Redirect defense mode because the set-top box cannot enter any verification codes.
- Cookie Authentication: This mode can effectively block access from non-browser clients. If a server request is abnormal, the cookie recording function of real browsers can be used to check the reality of the access source.
- JavaScript: If the web page that a user requests or the server of the resource embedded in a web page is abnormal, the JavaScript redirection function can be used to check the reality of the access source. A real browser can execute JavaScript to automatically implement redirection without affecting customer experience.
Verification Code Caption Settings
When you set Defense Mode to Verify Code, the protected device automatically pushes a verification code page. You can set the verification code caption.
-
Proxy Detection
Checks whether HTTP requests are sent through the proxy.
If so, the system obtains the real IP address from HTTP packets for defense. The defense against attacks with real IP addresses ensures that normal requests are properly processed and attack traffic is discarded.
You are advised to enable proxy detection if any HTTP proxy exists.
User-defined HTTP Proxy Keyword
Keyword for configuring a custom HTTP proxy.
-
Source Authentication Termination Condition
Attempt Time, Maximum Number of Attempts
Limits the maximum number of HTTP redirection attempts.
After the HTTP source authentication defense is enabled and the number of the authentication attempts of a source IP address exceeds the value of Maximum Number of Attempts within the period specified by Attempt Time, the source IP address is regarded as an attack source and is reported to the ATIC management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
Otherwise, the ATIC management center adds the source IP address to the whitelist.
SYN Rate Limiting
Threshold
If the rate of HTTP packets whose source IP addresses succeed in source authentication exceeds Threshold, the device takes limiting.
Limits the number of connections
-
ACK Rate Limiting
Threshold
If the rate of HTTP packets whose source IP addresses succeed in source authentication exceeds Threshold, the device takes limiting.
Limits the rate of HTTP get packets.
-
-
If the interval is smaller than the specified lower limit or greater than the specified upper limit, the anti-DDoS device considers the packet as the first packet and discards it. If the interval is between the lower limit and upper limit, the anti-DDoS device considers the packet as a subsequent packet and permits it.
-
Within the learning cycle, if the number of requests with the same fingerprint and from the same source IP address exceeds Matching Counts, the source IP address is regarded as an attack source and is reported to the ATIC management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- High Frequency Requests Detection
Within the detection period specified by Detection Cycles, if the number of HTTP requests from the same source IP address to the destination IP address in the Zone exceeds the value of Request Times Threshold, the source IP address is regarded as an attack source and is reported to the ATIC management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- Large Resource Detection
Within the detection period specified by Detection Cycles, if the number of HTTP requests from the same source IP address to the destination IP address in the Zone exceeds the value of Request Times Threshold and the percentage of the number of requests in the total number of requests defined by Large Resource Size Threshold exceeds the value of Requests Proportion Threshold, the source IP address is regarded as an attack source and is reported to the ATIC management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- Single URI Detection
Within the detection period specified by Detection Cycles, if the number of HTTP requests from the same source IP address to the destination IP address in the Zone exceeds the value of Request Times Threshold and the proportion of the number of requests to the specified URI to the total number of requests exceeds the value of Requests Proportion Threshold, the source IP address is regarded as an attack source and is reported to the ATIC management center. If the dynamic blacklist mode of the Zone is not Close, the ATIC management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
Monitored URI: URIs that need to be monitored when URI detection is used to defend against HTTP flood attacks.
- Abnormal HTTP Connection DefenseWhen the number of concurrent HTTP connections destined for an IP address of the Zone exceeds the value of Concurrent Connection Threshold Of Destination IP, abnormal HTTP connection defense is enabled for this destination IP address.
- HTTP Slow Attack Detection
For parameters, see Table 2.
Table 2 Configuring HTTP slow attack detection Parameter
Description
Total Packet Length
If the total length of consecutive HTTP POST packets is greater than the threshold and the HTTP payload length is less than the threshold, the connection is abnormal.
If the headers of consecutive HTTP GET/POST packets do not have any end flags, the connection is abnormal.
Payload Length
Abnormal Source IP Blocking
Abnormal Packets Threshold
If the number of abnormal packets on a connection exceeds the Abnormal Packets Threshold, the connection is considered as a slow connection, and the source IP address is reported to the ATIC management center as an attack source. If the dynamic blacklist mode of the Zone is not Close, the ATIC management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- Abnormal Connections DetectionFor parameters, see Table 3.
Table 3 Configuring abnormal connections detection Parameter
Description
Null Connections Detection
When there is no method in the HTTP header, it will be an abnormal connection.
Range-header Connections Detection
When there is a range option in the HTTP header, it will be an abnormal connection.
Multiple-Method Connections Detection
When there are multiple methods in the HTTP header, it will be an abnormal connection.
Abnormal Source IP Blocking
Connections Threshold
If the number of abnormal HTTP connections from a source IP address exceeds the threshold within the detection period, the source IP address is reported to the ATIC management center as an attack source. If the dynamic blacklist mode of the Zone is not Close, the ATIC management center automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
Detection Cycles
- HTTP Slow Attack Detection