To control the source of access to your business resources, you can use the IP access limit feature in CDN. By limiting the number of access requests to a node per second from a single IP, you can defend against high-frequency CC attacks and prevent hotlinking by malicious users.
Configuration Guide
Viewing Configuration
Log in to the cdn console, select Domain Management from the menu bar, click Management on the right side of the domain to enter the domain configuration page. In the second column Access Control, you can see the IP access limit configuration. By default, the configuration is disabled and the threshold is empty:
Enabling the configuration
Click the switch, fill in the frequency control threshold, and click OK to enable IP access limit control:
Configuration Note
After the configuration is enabled, a 514 error will be returned for requests that exceed the QPS limit. A low access frequency limit may impact the normal use of your business by high-frequency users. Configure the proper threshold according to your actual business conditions and use cases.
IP access limit is effective for attacks from a single IP to a single node. If a malicious user uses a high number of IPs to attack nodes on your entire network, this feature is no longer applicable. For stronger CC attack defense, it is recommended to purchase the Tencent Cloud EdgeOne.
Under the same domain, if multiple different URLs are requested simultaneously, any URL that exceeds the threshold from a single IP to a single node will directly return a 514 error.
Disabling the Configuration
You can switch to disable this feature. When the switch is off, this feature does not take effect in the production environment even if there is an existing configuration. When the switch is on, this configuration will take effect across the entire network:
Note
If your acceleration domain name is configured for global acceleration, the IP access limit configuration takes effect globally. This configuration does not distinguish between requests from regions in and outside the Chinese mainland. (Note)
Configuration Example
Suppose the IP access limit for the acceleration domain name www.test.com is as follows:
The actual access status will be as follows:
1. A user with the client IP 1.1.1.1 requests the resource http://www.test.com/1.jpg 10 times in one second, all accessing a server in CDN cache node A. This generates 10 access logs on that server, with 9 logs showing status code 514 due to exceeding the QPS limit.
2. A user with the client IP 2.2.2.2 requests the resource http://www.test.com/1.jpg twice in one second, and the access requests may be distributed to two CDN cache nodes for processing due to network conditions. Each node will return the content normally.
