Configuration Connections Attack Protection
Overview
EdgeOne supports protection against connection-based attacks, automatically blocking clients with abnormal connection behavior. After enabling the protection for the maximum number of abnormal connections from the source IP, when the EdgeOne security acceleration platform detects a large number of abnormal connection state packets frequently initiated by the same source IP within a short period, it will add the source IP to the blocklist for punishment, with a blocking time of 15 minutes, and access can be restored after the blocking is lifted.
Note:
This function is only supported when the L4 proxy is enabled for independent DDoS protection, and it is not supported for default platform protection or independent DDoS protection for L7 sites.
Usage Scenarios
To prevent a large number of connections from exhausting the TCP connection resources or network resources of the origin, you can configure connection-based attack protection to protect the origin.
Directions
1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page.
2. On the site details page, click on security protection > DDoS protection to enter the DDoS protection details page.
3. In the L4 proxy protection tab, select the L4 proxy protection instance to be configured, and click on Security configuration.
4. In the connection-based attack protection card, click on set to enter the connection-based attack protection page.
5. In the connection-based attack protection page, click on edit on the right side of the connection rule, and refer to Related references for the description and action of each connection rule.
6. In the configuration rule dialog box, modify the configuration, and click on OK to complete the rule issuance.
Related references
Supported connection rules
Per-IP new connection limit:This rule restricts the new connections from a source IP to prevent TCP connections from being exhausted by attackers.
Per-IP concurrent connection limit:This rule restricts the open simultaneous connections from a source IP to prevent TCP connections from being exhausted by attackers.
Per-IP abnormal connection limit:This rule restricts a source IP that generates many abnormal connections to access the origin.
Global new connection limit:This rule restricts the new connections between EdgeOne and the origin to prevent TCP connections from being exhausted by attackers.
Global concurrent connection limit:This rule restricts the open simultaneous connections between EdgeOne and the origin to prevent TCP connections from being exhausted by attackers.
Global data rate limit:This rule restricts the data rate at which EdgeOne transmits data to the origin to prevent the origin's network and computing resources from being consumed by forged requests from attackers.
Global packet rate limit:This rule restricts the packet rate at which EdgeOne transmits packets to the origin to prevent the origin's network and computing resources from being consumed by forged requests from attackers.
Action
Limit new connections: When under a single source IP rule, reject new connection requests from that IP; under a global policy, reject all new TCP connection requests.
Disconnect and punish: Disconnect the IP connection and block the IP for 15 minutes.
Discard overage data: Discard requests that exceed the data transmission rate or connection packet rate.