Anti-DDoS. User Guide. Issue 05 Date

Transcription

1 Issue 05 Date

2 Contents Contents 1 Introduction Functions Application Scenarios Accessing and Using Anti-DDoS How to Access Anti-DDoS How to Use Anti-DDoS Related Services Operation Guide Enabling Anti-DDoS Defense Enabling Alarm Notification Adjusting Security Settings Viewing a Monitoring Report Viewing an Interception Report Disabling Anti-DDoS Defense FAQs What Is Anti-DDoS? How Do I Use Anti-DDoS? What Services Can I Use Anti-DDoS In? What Kinds of Attacks Does Anti-DDoS Defend Against? Will I Be Promptly Notified When an Attack Is Detected? A Change History B Glossary Issue 05 ( ) ii

3 1 Introduction 1 Introduction 1.1 Functions The Anti-DDoS traffic cleaning service (Anti-DDoS for short) is a network security service that defends IP addresses against distributed denial of service (DDoS) attacks. Anti-DDoS monitors traffic, in real time, directed to specified IP addresses and detects access traffic at network egresses to discover DDoS attacks as soon as possible. It then cleans abnormal traffic according to user-configured defense policies so that services run as normal. In addition, monitoring reports are generated, presenting users with clear network security evaluations. Anti-DDoS provides the following functions: Providing defense against the following attacks: SYN flood, challenge collapsar (CC), slow HTTP, UDP flood, ACK flood, and TCP attacks Providing monitoring records for each IP address, including the current defense status, current defense configurations, and the last 24 hours' traffic and abnormalities Generating interception reports for all defended IP addresses of a user. Statistics over the last four weeks can be queried, including the number of cleaning events, cleaned traffic, the weekly top 10 most frequently attacked Elastic Cloud Servers (ECSs), and total number of intercepted attacks. 1.2 Application Scenarios Anti-DDoS offers defense against DDoS attacks only for ECSs and Elastic Load Balance (ELB) services on the public cloud. Anti-DDoS devices are deployed at egresses of equipment rooms. Figure 1-1 shows the network topology. The detection center detects network access traffic according to user-configured security policies. If an attack is detected, data is diverted to cleaning devices for real-time defense. Abnormal traffic is cleaned, and normal traffic is forwarded. Issue 05 ( ) 1

4 1 Introduction Figure 1-1 Network topology 1.3 Accessing and Using Anti-DDoS How to Access Anti-DDoS The public cloud provides a web-based service management platform. You can access Anti- DDoS using HTTPS-compliant APIs or the management console. API You can access Anti-DDoS using APIs. For details, see the Anti-DDoS API Reference. Management console You can log in to the management console to perform other required operations on Anti- DDoS. If you have registered a public cloud account, log in to the management console and choose Anti-DDoS on the homepage How to Use Anti-DDoS Anti-DDoS allows you to: Enable Anti-DDoS defense for IP addresses, which defends them against DDoS attacks. Enable alarm notification, which sends notifications through SMSs or s when an IP address is under a DDoS attack. Adjust security settings based on service needs during defense. Issue 05 ( ) 2

5 1 Introduction View monitoring and interception reports after the defense is enabled to check network security situations. Disable Anti-DDoS defense Related Services ECS and ELB Anti-DDoS offers defense against DDoS attacks for ECSs and ELB services. CTS NOTE ECS is a computing server that consists of CPUs, memory, images, and Elastic Volume Service (EVS) disks and that allows on-demand allocation and elastic scaling. For more information, see the Elastic Cloud Server. ELB is a service that automatically distributes access traffic to multiple ECSs to balance their service load. ELB enables you to achieve higher levels of fault tolerance in your applications and expand application service capabilities. For more information, see the Elastic Load Balance User Guide. Cloud Trace Service (CTS) provides you with a history of Anti-DDoS operations. After enabling the CTS service, you can view all generated traces to review and audit performed Anti-DDoS operations. For details, see the Cloud Trace Service. Table 1-1 Anti-DDoS operations that CTS supports Operation Resource Type Trace Name Enabling Anti-DDoS defense EIP enabledefense Disabling Anti-DDoS defense EIP disabledefense Adjusting Anti-DDoS security settings EIP modifydefense Enabling Anti-DDoS defense ELB enabledefense Disabling Anti-DDoS defense ELB disabledefense Adjusting Anti-DDoS security settings ELB modifydefense IAM Identity and Access Management (IAM) provides the authentication function for Anti-DDoS. Issue 05 ( ) 3

6 2 Operation Guide 2 Operation Guide 2.1 Enabling Anti-DDoS Defense Enabling Anti-DDoS defense for an IP address automatically defends it against DDoS attacks. Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Anti-DDoS. The Anti-DDoS service management page is displayed. Choose Anti-DDoS > Instance List, locate the row containing the instance IP address for which you want to enable defense, and click Enable Defense, as shown in Figure 2-1. Figure 2-1 Enabling defense Step 4 On the Enable Defense page, configure parameters as prompted. Table 2-1 describes the parameters, and Figure 2-2 shows the page. Issue 05 ( ) 4

7 2 Operation Guide Figure 2-2 Configuring defense parameters Table 2-1 Parameter description Parameter Maximum Service Traffic Description Total traffic detected by Anti-DDoS, including TCP traffic and UDP traffic Set this parameter based on the actual service access traffic. You are advised to set a value close to, but not exceeding, the purchased bandwidth. The value of this parameter is not the threshold that triggers Anti-DDoS. Different attack types have different thresholds. If service traffic triggers Anti-DDoS, only attack traffic is intercepted. If service traffic does not trigger Anti-DDoS, no traffic is intercepted. Issue 05 ( ) 5

8 2 Operation Guide Parameter CC Defense Description Disable: Disable the defense. Enable: Enable the defense. NOTE CC defense is available only for clients supporting the full HTTP protocol stack because CC defense works in redirection or redirection+verification code mode. If your client does not support the full HTTP protocol stack, you are advised to disable CC defense. HTTP Request Rate: This option is available only when CC defense is enabled. You are advised to set this value to the maximum number of HTTP requests that can be processed by a deployed service. Anti-DDoS automatically cleans traffic if the total number of detected requests exceeds this threshold. If the value is too large, CC defense will not be triggered promptly. If the actual HTTP request rate is lower than the configured value, the deployed service is able to process all HTTP requests, and Anti-DDoS does not need to be involved. If the actual HTTP request rate is equal to or higher than the configured value, Anti-DDoS triggers CC defense to analyze and check each request, which affects responses to normal requests. Step 5 Click OK to save the configurations and enable defense. ----End 2.2 Enabling Alarm Notification The alarm notification function sends you alarm notifications (by SMS or ) if a DDoS attack is detected. If you do not enable this function, you have to log in to the management console to view alarms. Step 1 Step 2 Step 3 Step 4 Log in to the management console. Choose Security > Anti-DDoS. The Anti-DDoS service management page is displayed. Click Alarm Notification, and select Enable for Anti-DDoS Alarm Notification on the displayed page. Select a group to send alarms to. If you need to create a group, click Create Group and set information about the group, as shown in Figure 2-3. On the Create Group page, click Add in Send To to add addresses or mobile phone numbers to receive alarms. Issue 05 ( ) 6

9 2 Operation Guide NOTE You can click click: to go to the group management page. On the group management page, you can Create Group in the upper left corner to create groups Modify of a group to modify its information Delete of a group to delete it Name: Enter a name for the group. The name length ranges from 1 to 256 characters. It can contain only letters, digits, underscores (_), and hyphens (-) and must start with a letter or digit. address: Enter addresses that you want to send notifications to. Phone number: Enter phone numbers that you want to send notifications to. Figure 2-3 Creating a group Step 5 Click OK to enable alarm notification. ----End 2.3 Adjusting Security Settings You can adjust security settings after Anti-DDoS defense is enabled. Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Anti-DDoS. The Anti-DDoS service management page is displayed. Choose Anti-DDoS > Instance List, locate the row containing the instance IP address for which you want to modify security settings, and click Security Settings. The Security Settings page is displayed. Issue 05 ( ) 7

10 2 Operation Guide Figure 2-4 Instance list Step 4 On the Security Settings page, modify necessary parameters, as shown in Figure 2-5. Table 2-2 describes the parameters. Figure 2-5 Security Settings Table 2-2 Parameter description Parameter Maximum Service Traffic Description Total traffic detected by Anti-DDoS, including TCP traffic and UDP traffic Set this parameter based on the actual service access traffic. You are advised to set a value close to, but not exceeding, the purchased bandwidth. The value of this parameter is not the threshold that triggers Anti-DDoS. Different attack types have different thresholds. If service traffic triggers Anti-DDoS, only attack traffic is intercepted. If service traffic does not trigger Anti-DDoS, no traffic is intercepted. Issue 05 ( ) 8

11 2 Operation Guide Parameter CC Defense Description Disable: Disable the defense. Enable: Enable the defense. NOTE CC defense is available only for clients supporting the full HTTP protocol stack because CC defense works in redirection or redirection+verification code mode. If your client does not support the full HTTP protocol stack, you are advised to disable CC defense. HTTP Request Rate: This option is available only when CC defense is enabled. You are advised to set this value to the maximum number of HTTP requests that can be processed by a deployed service. Anti-DDoS automatically cleans traffic if the total number of detected requests exceeds this threshold. If the value is too large, CC defense will not be triggered promptly. If the actual HTTP request rate is lower than the configured value, the deployed service is able to process all HTTP requests, and Anti-DDoS does not need to be involved. If the actual HTTP request rate is equal to or higher than the configured value, Anti-DDoS triggers CC defense to analyze and check each request, which affects responses to normal requests. Step 5 Click OK to save the settings. ----End 2.4 Viewing a Monitoring Report This section describes how to view the monitoring report of an instance IP address. This report includes the current defense status, current defense configurations, and the last 24 hours' traffic and abnormalities. Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Anti-DDoS. The Anti-DDoS service management page is displayed. Choose Anti-DDoS > Instance List, locate the row containing the instance IP address whose monitoring details you want to view, and click the instance IP address or View Monitoring Report, as shown in Figure 2-6. Figure 2-6 Viewing a monitoring report Step 4 On the Monitoring Report page, view monitoring details about the IP address, as shown in Figure 2-7. You can view information such as the current defense status, current defense configurations, traffic within 24 hours, and abnormalities within 24 hours. Issue 05 ( ) 9

12 2 Operation Guide A 24-hour defense traffic chart is generated from data points taken in five-minute intervals. It includes the following information: Traffic: displays the traffic status of the selected ECS, including the incoming attack traffic and normal traffic. Packet rate: displays the packet rate data of the selected ECS, including the attack packet rate and normal incoming packet rate. Attack event list within one day: records DDoS attacks on the ECS within one day, including cleaning events and black hole events. Figure 2-7 Monitoring report ----End 2.5 Viewing an Interception Report This section describes how to view defense statistics, including the number of cleaning events, cleaned traffic, weekly top 10 most frequently attacked ECSs, and total number of intercepted attacks, of all instance IP addresses of a user. Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Anti-DDoS. The Anti-DDoS service management page is displayed. Choose Anti-DDoS > Security Report to view defense statistics about all IP addresses of a user, as shown in Figure 2-8. You can view the weekly security report generated on a specific date. Currently, statistics, including the number of cleaning events, cleaned traffic, weekly top 10 most frequently attacked ECSs, and total number of intercepted attacks, over the past four weeks can be queried. Issue 05 ( ) 10

13 2 Operation Guide Figure 2-8 Interception report ----End 2.6 Disabling Anti-DDoS Defense You can disable Anti-DDoS defense. Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Anti-DDoS. The Anti-DDoS service management page is displayed. Choose Anti-DDoS > Instance List, locate the row containing the instance IP address for which you want to disable defense, and click Disable Defense, as shown in Figure 2-9. Figure 2-9 Disabling defense Step 4 In the warning dialog box that is displayed, click OK to disable defense for the IP address. ----End Issue 05 ( ) 11

14 3 FAQs 3 FAQs 3.1 What Is Anti-DDoS? The Anti-DDoS traffic cleaning service (Anti-DDoS for short) is a network security service that defends IP addresses against DDoS attacks. Anti-DDoS monitors traffic, in real time, directed to specified IP addresses and detects access traffic at network egresses to discover DDoS attacks as soon as possible. It then cleans abnormal traffic according to user-configured defense policies so that services run as normal. In addition, monitoring reports are generated, presenting users with clear network security evaluations. 3.2 How Do I Use Anti-DDoS? Anti-DDoS works automatically after you enable Anti-DDoS defense for IP addresses. Step 1 Step 2 Step 3 Log in to the management console. Choose Security > Anti-DDoS. The Anti-DDoS service management page is displayed. Choose Anti-DDoS > Instance List, locate the row containing the instance IP address for which you want to enable defense, and click Enable Defense, as shown in Figure 3-1. Figure 3-1 Enabling defense Step 4 On the Enable Defense page, configure parameters as prompted. Table 3-1 describes the parameters, and Figure 3-2 shows the page. Issue 05 ( ) 12

15 3 FAQs Figure 3-2 Configuring defense parameters Table 3-1 Parameter description Parameter Maximum Service Traffic Description Total traffic detected by Anti-DDoS, including TCP traffic and UDP traffic Set this parameter based on the actual service access traffic. You are advised to set a value close to, but not exceeding, the purchased bandwidth. The value of this parameter is not the threshold that triggers Anti-DDoS. Different attack types have different thresholds. If service traffic triggers Anti-DDoS, only attack traffic is intercepted. If service traffic does not trigger Anti-DDoS, no traffic is intercepted. Issue 05 ( ) 13

16 3 FAQs Parameter CC Defense Description Disable: Disable the defense. Enable: Enable the defense. NOTE CC defense is available only for clients supporting the full HTTP protocol stack because CC defense works in redirection or redirection+verification code mode. If your client does not support the full HTTP protocol stack, you are advised to disable CC defense. HTTP Request Rate: This option is available only when CC defense is enabled. You are advised to set this value to the maximum number of HTTP requests that can be processed by a deployed service. Anti-DDoS automatically cleans traffic if the total number of detected requests exceeds this threshold. If the value is too large, CC defense will not be triggered promptly. If the actual HTTP request rate is lower than the configured value, the deployed service is able to process all HTTP requests, and Anti-DDoS does not need to be involved. If the actual HTTP request rate is equal to or higher than the configured value, Anti-DDoS triggers CC defense to analyze and check each request, which affects responses to normal requests. Step 5 Click OK to save the configurations and enable defense. ----End 3.3 What Services Can I Use Anti-DDoS In? Anti-DDoS supports traffic cleaning only for ECSs and ELB services. 3.4 What Kinds of Attacks Does Anti-DDoS Defend Against? Anti-DDoS provides defense against the following attacks: SYN flood, CC, slow HTTP, UDP flood, ACK flood, and TCP attacks 3.5 Will I Be Promptly Notified When an Attack Is Detected? Yes, if you enable alarm notification. Log in to the console and choose Anti-DDoS > Alarm Notification to enable the alarm notification function, which enables you to receive alarms (by SMS or ) if a DDoS attack is detected. Issue 05 ( ) 14

17 A Change History A Change History Released On Description This is the fifth official release. Added chapter Glossary This is the fourth official release. Added section Accessing and Using Anti-DDoS This is the third official release. Optimized the alarm notification page: modified section Enabling Alarm Notification. Optimized the policy of using the traffic limiting threshold: Deleted the limit on the use of Anti-DDoS in section Application Scenarios. Deleted section "What Restrictions Does Anti- DDoS Have?" This is the second official release. Optimized parameters for enabling defense: Added parameter Maximum Service Traffic to replace parameter Request traffic per Second. Added parameter HTTP Request Rate to replace parameter HTTP requests per Second. Deleted parameter Single Source IP Address Connections This is the first official release. Issue 05 ( ) 15

18 B Glossary B Glossary For details about the terms involved in this document, see Glossary. Issue 05 ( ) 16