The defense policies for HTTPS services cover defense.
- The AntiDDoS identifies well-known protocols by port number. Non-HTTPS services with port 443 may be identified as HTTPS services and therefore be discarded when matching specific policies. Therefore, do not use well-known ports for other services.
- This section applies only to AntiDDoS V500R005C20SPC600.
- TLS Encryption Attack Defense
When the rate of HTTPS packets sent to the destination IP address exceeds the value of Packet Rate Threshold Of Destination IP, the system enables TLS encryption attack defense for the destination IP address.
If the defense mode of the Zone is automatic, the system starts defense automatically. If the defense mode is manual, the administrator needs to confirm and start the defense manually. For details on how to configure the defense mode, see Configuring a Defense Mode.
You are advised to specify the value of Packet Rate Threshold Of Destination IP through baseline learning. For details, see Configuring a Baseline Learning Task.- Source Challenge Authentication
Source IP address challenge authentication is performed on the source IP address. Suspicious Source Challenge performs challenge authentication on suspicious source IP addresses whose HTTPS packet rate is greater than the value of Threshold.
- High Frequency Requests Detection
Within the period specified by Detection Cycles, if the number of HTTPS requests from the same source IP address to the Zone is greater than the value of Request Times Threshold, the source IP address is added to the blacklist and an anomaly event is reported to the ATIC management center. If the dynamic blacklist of the Zone is not Close, the system automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- Fixed resource monitoring
Within the period specified by Detection Cycles, if the number of requests from the same source IP address to the Zone is greater than the value of Request Times Threshold and the percentage of the number of requests for fixed resources in the total number of requests is greater than the value of Requests Proportion Threshold, the source IP address is added to the blacklist and an anomaly event is reported to the ATIC management center. If the dynamic blacklist of the Zone is not Close, the system automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- Large Resource Detection
Within the period specified by Detection Cycles, if the number of requests from the same source IP address to the Zone is greater than the value of Request Times Threshold and the percentage of the number of requests for large resources (defined by Large Resource Size Threshold) in the total number of requests is greater than the value of Requests Proportion Threshold, the source IP address is added to the blacklist and an anomaly event is reported to the ATIC management center. If the dynamic blacklist of the Zone is not Close, the system automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- Source Challenge Authentication
- TLS Session Attack Defense
When the number of concurrent HTTPS connections to the destination IP address is greater than the value of Concurrent Connection Threshold Of Destination IP (Connection), the system enables TLS session attack defense for the destination IP address.
- Abnormal Source IP Blocking
Within the period specified by Abnormal Session Check Interval, if the number of abnormal sessions is greater than the value of Maximum Number of Abnormal Sessions, the source IP address is considered abnormal and added to the blacklist. If the dynamic blacklist of the Zone is not Close, the system automatically adds the IP addresses of attack sources to the dynamic blacklist. For details on how to configure the dynamic blacklist mode, see Configuring a Defense Mode.
- Renegotiation Detection: If the number of SSL negotiations between a source IP address and a destination IP address within the period specified by Renegotiation Interval reaches the value of Maximum Renegotiation Times, the session is marked as an abnormal session.
- Null Connections Detection: If no TLS negotiation is performed for a TLS session, the negotiation is abnormal, or the negotiation is normal but no data is sent, the connection is considered as a null connection.
- Abnormal Source IP Blocking