Overview
Port filtering is utilized to precisely formulate protection strategies by specifying ports and protocols, thereby controlling the ports and protocols that clients can use to access EdgeOne. Once port filtering is enabled, you can customize the combination of protocol types, source port ranges, and destination port ranges as per your requirements. Furthermore, you can set up actions such as interception, allowance, or continued protection for rules that match.
Note:
This feature is only supported when the Layer-4 proxy enables Exclusive DDoS protection. Both the default platform protection and Layer-7 site Exclusive DDoS protection do not support configuration.
Scenarios
UDP business exists at the source station, and UDP reflection attacks are filtered through port filtering: If your current source station business has UDP connections and cannot directly block UDP protocol access, you can configure the UDP access ports that need to be intercepted during DDoS cleaning in port filtering to prevent UDP reflection attacks from being transparently transmitted. Common UDP reflection attack ports include: 1-52, 54-161, 389, 1900, 11211.
Filtering Unpermitted Port Access Sources: When your origin server only allows access through specified ports, you can use port filtering to configure the ports that are allowed access after DDoS cleansing. This directly discards all access connections from other ports, reducing attack penetration.
Instructions
For instance, for all business domains under the site
example.com, only ports 110-155 of the TCP protocol are open to the public, and access to all other ports is prohibited. The operation steps are as follows:1. Log in to the EdgeOne console. In the left-hand menu, click on Site List. Within the site list, click on the site that needs configuration to enter the site details page.
2. On the site details page, click on Security > DDoS Mitigation to access the DDoS Mitigation details page.
3. On the Layer-4 Proxy Protection tab, select the Layer-4 proxy protection instance you want to configure and click Protection Configuration.
4. In the Port Filtering card, click on Settings to navigate to the Port Filtering page.
5. On the Port Filtering page, click Create to establish port filtering rules. In this scenario, create two rules. Intercept all protocols selected as TCP, fill in the source port range as 1-65535, and the destination port range as 10-155. Select different protection actions and fill in the relevant fields, then click Save.
Parameter | Note |
Agreements | You can choose from all, TCP, or UDP protocols. |
Source port range | Refers to the port information from which the client initiates access, with a supported range of 1 to 65535. |
Destination port range | This refers to the destination port information accessed by the client, with a supported range of 1 to 65535. |
Action | Interception: Halt the request. Allow: Permit this request and cease matching with the remaining protection policies. Continue Protection: Allow the current request and continue matching the remaining protection policies. |