Edge Security

DDoS and Web Protection
- Overview
- DDoS Protection
  - DDoS Protection Overview
  - Exclusive DDoS Protection Usage
  - Configuration of Exclusive DDoS protection Rules
    - Increase DDoS Protection Level
    - Configuration IP blocklist/allowlist
    - Configuration Region Blocking Rule
    - Configuration Port Filtering
    - Configuration Features Filtering
    - Configuration Protocol Blocking Rule
    - Configuration Connections Attack Protection
    - Exclusive DDoS Traffic Alarm
    - Related References
      - DDoS Protection Processing Order
      - Action
      - Related Concepts Introduction
  - Related References
    - DDoS Protection Console Update (2026-01-12)
- Web Protection
  - Overview
  - Configuring Web Protection Policy
  - Custom rule
  - Rate Limiting
    - Bandwidth Abuse Protection
    - CC attack defense
    - Custom Rate Limiting Rules
  - Hosting Rules
    - Managed rules
    - High-Frequency Scan Protection
  - Exception Rules
  - Managed Custom Rules
  - Web security monitoring alarm
  - Related References
    - Web Protection Request Processing Order
    - Action
    - Match Condition
- Bot Management
  - Overview
  - AI Crawler Control
  - Bot Intelligent analysis
  - Bot Basic Feature Management
  - Client Reputation
  - Active Detection
  - Custom Bot Rule
  - Client authentication (Beta)
    - Overview
    - Attestation Flow
    - Integration Guidelines
      - Step 1: Configure Authentication Method
      - Step 2: Integrate Client Authentication
        Browser & WebView Integration
        iOS Integration
        iOS Integration
        Mobile Integration References
      - Step 3: Configure Client Attestation Rules
      - Step 4: Verify Client Attestation
  - Related References
    - Action
- API Discovery（Beta）

Configuration Port Filtering

Function Description
Port filtering is used to precisely formulate protection strategies by specifying ports and protocols, controlling the ports and protocols that clients can access EdgeOne. After enabling port filtering, you can customize the combination of protocol type, source port range, and destination port range according to your needs, and set the strategy actions of intercepting, allowing, and continuing protection for the matched rules.
Note：
This function is only supported when L4 proxy instance is set to Advanced Protection or Ultimate Protection, and configuration is not allowed in all other scenarios.
Usage Scenarios
The origin has UDP business, and UDP reflection attack is filtered through port filtering: If your current origin business has UDP connections and cannot directly block UDP protocol access, you can configure the UDP access port that needs to be intercepted during DDoS washing in port filtering to prevent the transparent transmission of UDP reflection attacks. Common UDP reflection attack ports include: 1-52, 54-161, 389, 1900, 11211.
Wash non-allowed port access sources: When your origin only opens specified ports for access, you can configure the ports that are allowed to be accessed after DDoS washing through port filtering, and directly discard all access connections from other ports to reduce attack penetration.
Operation Steps
For example, for all business domain names under the site example.com, the business only opens TCP protocol ports 110-155 to the outside, and other ports are not allowed to access. The operation steps are as follows:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click L4 Proxy > L4 Instance List to access the L4 Proxy List page.
3. Select the L4 proxy instance to be configured and click Protection Policy Configuration.
4. In the port filtering card, click on Set to enter the port filtering page.
﻿
﻿
﻿
5. In the port filtering page, click on Create to create a port filtering rule. In this scenario, create two rules, intercept all protocols and select TCP protocol, fill in the source port range 1-65535, and fill in the destination port range 10-155 ports, select different protection actions and fill in the relevant fields, and click Save.
﻿
﻿
﻿
Field
Description
Protocol
Optional all, TCP or UDP protocol
Source port range
Refers to the port information of the client initiating the access, supporting the filling range: 1-65535
Destination port range
Refers to the destination port information of the client access, supporting the filling range: 1-65535
Action
Intercept: block the request.
Allow: release the request and no longer match the remaining protection strategies.
Continue protection: release the current request and continue to match the remaining protection strategies.
﻿

Function Description
Usage Scenarios
Operation Steps

Field	Description
Protocol	Optional all, TCP or UDP protocol
Source port range	Refers to the port information of the client initiating the access, supporting the filling range: 1-65535
Destination port range	Refers to the destination port information of the client access, supporting the filling range: 1-65535
Action	Intercept: block the request. Allow: release the request and no longer match the remaining protection strategies. Continue protection: release the current request and continue to match the remaining protection strategies.