Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Configuration Features Filtering

Overview

Feature filtering can accurately formulate protection strategies against malformed message attacks or attack message features to prevent transparent transmission of malformed messages. EdgeOne supports custom interception policies for features in IP, TCP, and UDP message headers or payloads. After enabling feature filtering, you can combine source port, destination port, message length, IP message header or payload matching conditions, and set discard, release, blacklist, and continue protection policy actions for requests that meet the conditions.
Note:
This function is only supported when L4 proxy is enabled for exclusive DDoS protection. Default platform protection and L7 site exclusive DDoS protection do not support configuration.

Usage Scenarios

After the site business accesses EdgeOne, if you need to manage access requests with fixed features, you can enable feature filtering for the site and set precise access control rules. Feature filtering access control rules consist of matching conditions and matching actions.
Matching conditions define the request features to be identified, specifically the attribute features of TCP/UDP protocol fields in access requests.
Matching actions define the actions to be executed on access requests when they hit the matching conditions, including interception, release, discard and blacklist, and continue protection.

Directions

For example: For all business domain names under the site example.com, only TCP business packages with a length not greater than 512 bytes are open to the public, and all requests that do not meet this feature are intercepted. The operation steps are as follows:
1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page.
2. On the site details page, click Security Protection > DDoS Protection to enter the DDoS Protection details page.
3. In the L4 proxy protection tab, select the L4 proxy protection instance to be configured and click on Security configuration.
4. In the feature filtering card, click on set to enter the feature filtering page.



5. In the feature filtering page, click Create.
6. In the new feature filtering dialog box, create a feature filtering rule, select different protection actions according to the needs, and fill in the relevant fields, click OK.




The explanations of each feature field are as follows:
Filter feature
Explanation
Other parameters
Source Port
Refers to the access source port.
Supports input of port numbers in the range of 1-65535.
Supports logical equal or between.
/
Target Port
Refers to the access target port.
Supports input of port numbers in the range of 1-65535.
Supports logical equal or between.
Package Length
Refers to the length of the access message data packag.
Supports input of numbers in the range of 1-1500.
Supports logical equal or between.
IP Header Start Detection
Supports regex matching or keyword matching, where keywords are matched by offset and check depth.
Offset: The offset of the data body (payload) after the UDP or TCP header, optional range: 0~1500, unit: Byte.
When the offset is 0, the match starts from the first byte of the data body.
Check depth: The content of the data body (payload) to be matched, needs to enter a hexadecimal string starting with 0x
TCP/UDP Header Start Detection
Supports regex matching or keyword matching, where keywords are matched by offset and check depth.
Payload Start Detection
Refers to skipping the IP header and TCP/UDP header and starting detection from the payload carried by the message.
Supports regex matching or keyword matching, where keywords are matched by offset and check depth.