Configuration Features Filtering
Overview
Feature filtering can accurately formulate protection strategies against malformed message attacks or attack message features to prevent transparent transmission of malformed messages. EdgeOne supports custom interception policies for features in IP, TCP, and UDP message headers or payloads. After enabling feature filtering, you can combine source port, destination port, message length, IP message header or payload matching conditions, and set discard, release, blacklist, and continue protection policy actions for requests that meet the conditions.
Note:
This function is only supported when L4 proxy is enabled for exclusive DDoS protection. Default platform protection and L7 site exclusive DDoS protection do not support configuration.
Usage Scenarios
After the site business accesses EdgeOne, if you need to manage access requests with fixed features, you can enable feature filtering for the site and set precise access control rules. Feature filtering access control rules consist of matching conditions and matching actions.
Matching conditions define the request features to be identified, specifically the attribute features of TCP/UDP protocol fields in access requests.
Matching actions define the actions to be executed on access requests when they hit the matching conditions, including interception, release, discard and blacklist, and continue protection.
Directions
For example: For all business domain names under the site
example.com
, only TCP business packages with a length not greater than 512 bytes are open to the public, and all requests that do not meet this feature are intercepted. The operation steps are as follows:1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page.
2. On the site details page, click Security Protection > DDoS Protection to enter the DDoS Protection details page.
3. In the L4 proxy protection tab, select the L4 proxy protection instance to be configured and click on Security configuration.
4. In the feature filtering card, click on set to enter the feature filtering page.
5. In the feature filtering page, click Create.
6. In the new feature filtering dialog box, create a feature filtering rule, select different protection actions according to the needs, and fill in the relevant fields, click OK.
The explanations of each feature field are as follows:
Filter feature | Explanation | Other parameters |
Source Port | Refers to the access source port. Supports input of port numbers in the range of 1-65535. Supports logical equal or between. | / |
Target Port | Refers to the access target port. Supports input of port numbers in the range of 1-65535. Supports logical equal or between. | |
Package Length | Refers to the length of the access message data package. Supports input of numbers in the range of 1-1500. Supports logical equal or between. | |
IP Header Start Detection | Supports keyword matching, where keywords are matched by offset and check depth. | Offset: The offset of the data body (payload) after the UDP or TCP header, optional range: 0~1500, unit: Byte. When the offset is 0, the match starts from the first byte of the data body. Payload Content:The content of the payload to be matched. You can directly input a string (such as hello) or a hexadecimal string starting with \x (such as \x1A2B3C4D). Inspection Depth:**The string length of the payload content plus the offset. (For example, if the offset is 1 and the string length is 6, then the depth is 7.) |
TCP/UDP Header Start Detection | Supports keyword matching, where keywords are matched by offset and check depth. | |
Payload Start Detection | Refers to skipping the IP header and TCP/UDP header and starting detection from the payload carried by the message. Supports keyword matching, where keywords are matched by offset and check depth. | |