Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Configuration Connections Attack Protection

Overview

EdgeOne supports protection against connection-based attacks, automatically blocking clients with abnormal connection behavior. After enabling the protection for the maximum number of abnormal connections from the source IP, when the EdgeOne security acceleration platform detects a large number of abnormal connection state packets frequently initiated by the same source IP within a short period, it will add the source IP to the blocklist for punishment, with a blocking time of 15 minutes, and access can be restored after the blocking is lifted.
Note:
This function is only supported when the L4 proxy is enabled for independent DDoS protection, and it is not supported for default platform protection or independent DDoS protection for L7 sites.

Usage Scenarios

To prevent a large number of connections from exhausting the TCP connection resources or network resources of the origin, you can configure connection-based attack protection to protect the origin.

Directions

1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page.
2. On the site details page, click on security protection > DDoS protection to enter the DDoS protection details page.
3. In the L4 proxy protection tab, select the L4 proxy protection instance to be configured, and click on Security configuration.
4. In the connection-based attack protection card, click on set to enter the connection-based attack protection page.



5. In the connection-based attack protection page, click on edit on the right side of the connection rule, and refer to Related references for the description and action of each connection rule.
6. In the configuration rule dialog box, modify the configuration, and click on OK to complete the rule issuance.

Related references

Supported connection rules

Per-IP new connection limit:This rule restricts the new connections from a source IP to prevent TCP connections from being exhausted by attackers.
Per-IP concurrent connection limit:This rule restricts the open simultaneous connections from a source IP to prevent TCP connections from being exhausted by attackers.
Per-IP abnormal connection limit:This rule restricts a source IP that generates many abnormal connections to access the origin.
Global new connection limit:This rule restricts the new connections between EdgeOne and the origin to prevent TCP connections from being exhausted by attackers.
Global concurrent connection limit:This rule restricts the open simultaneous connections between EdgeOne and the origin to prevent TCP connections from being exhausted by attackers.
Global data rate limit:This rule restricts the data rate at which EdgeOne transmits data to the origin to prevent the origin's network and computing resources from being consumed by forged requests from attackers.
Global packet rate limit:This rule restricts the packet rate at which EdgeOne transmits packets to the origin to prevent the origin's network and computing resources from being consumed by forged requests from attackers.

Action

Limit new connections: When under a single source IP rule, reject new connection requests from that IP; under a global policy, reject all new TCP connection requests.
Disconnect and punish: Disconnect the IP connection and block the IP for 15 minutes.
Discard overage data: Discard requests that exceed the data transmission rate or connection packet rate.