Release Notes and Announcements

Release Notes

Security Announcement

Announcements

Product Introduction

Overview

Strengths

Use Cases

Comparison Between EdgeOne and CDN Products

Use Limits

Purchase Guide

Description of Trial Plan Experience Benefits

Free Plan Guide

Billing Overview

Billing Items

Subscriptions

Renewals

Instructions for overdue and refunds

Comparison of EdgeOne Plans

About "clean traffic" billing instructions

DDoS Protection Capacity Description

Getting Started

Choose business scenario

Quick access to website security acceleration

Quick deploying a website with Pages

Domain Service&Origin Configuration

Domain Service

HTTPS Certificate

Origin Configuration

Site Acceleration

Overview

Access Control

Smart Acceleration

Cache Configuration

File Optimization

Network Optimization

URL Rewrite

Modifying Header

Modify the response content

Rule Engine

Image&Video Processing

Speed limit for single connection download

DDoS & Web Protection

Overview

DDoS Protection

Web Protection

Bot Management

API Discovery（Beta）

Edge Functions

Overview

Getting Started

Operation Guide

Runtime APIs

Sample Functions

Best Practices

Pages

L4 Proxy

Overview

Creating an L4 Proxy Instance

Modifying an L4 Proxy Instance

Disabling or Deleting an L4 Proxy Instance

Batch Configuring Forwarding Rules

Obtaining Real Client IPs

Data Analysis&Log Service

Log Service

Data Analysis

Alarm Service

Site and Billing Management

Billing Management

Site Management

Version Management

General Policy

General Reference

Configuration Syntax

Request and Response Actions

Country/region and Corresponding Codes

Terraform

Overview

Installing and Configuring Terraform

Practical Tutorial

EdgeOne Skill User Guide

Automatic Warm-up/Cache Purge

Resource Abuse/hotlinking Protection Practical

HTTPS Related Practices

Acceleration Optimization

Scheduling Traffic

Data Analysis and Alerting

Log Platform Integration Practices

Configuring Origin Servers for Cloud Object Storage (Such As COS)

CORS Response Configuration

API Documentation

History

Introduction

API Category

Making API Requests

Site APIs

Acceleration Domain Management APIs

Site Acceleration Configuration APIs

Edge Function APIs

Alias Domain APIs

Security Configuration APIs

Layer 4 Application Proxy APIs

Content Management APIs

Data Analysis APIs

Log Service APIs

Billing APIs

Certificate APIs

Origin Protection APIs

Load Balancing APIs

Diagnostic Tool APIs

Custom Response Page APIs

API Security APIs

DNS Record APIs

Content Identifier APIs

Legacy APIs

Ownership APIs

Image and Video Processing APIs

Multi-Channel Security Gateway APIs

Version Management APIs

Data Types

Error Codes

FAQs

Product Features FAQs

DNS Record FAQs

Domain Configuration FAQs

Site Acceleration FAQs

Data and Log FAQs

Security Protection-related Queries

Origin Configuration FAQs

Troubleshooting

Reference for Abnormal Status Codes

Troubleshooting Guide for EdgeOne 4XX/5XX Status Codes

520/524 Status Code Troubleshooting Guide

521/522 Status Code Troubleshooting Guide

Tool Guide

Agreements

Service Level Agreement

Origin Protection Enablement Conditions of Use

TEO Policy

Data Processing And Security Agreement

Glossary

Overview

PDF

Focus Mode

Font Size

Last updated: 2024-08-01 21:37:22

Security protection provides secure policy configuration and security event alert options for applications integrating with EdgeOne. This helps you verify traffic and requests at the edge, preventing external attacks and security risks from impacting your business and sensitive data.
﻿
After integrating with EdgeOne's security acceleration service and subscribing to relevant security protection services, you can configure the following security policies:
Note:
DDoS protection is designed for network-layer defense against DDoS attacks and is suitable for L4 proxy applications (TCP/UDP applications). Configuration for DDoS protection is only available for users with Exclusive DDoS Protection Usage enabled.
If you need to configure Referer blocklist/allowlist, User-Agent (UA) blocklist/allowlist, IP blocklist/allowlist, or region blocking through Web protection, please navigate to Web Protection > Custom Rules >Basic Access Control. For more details, see Web Protection - Custom Rules.
The available rule configurations and execution methods may vary based on the EdgeOne plan you have subscribed to. See Comparison of EdgeOne Plans for package specifications.
Category
Function
Application Scenario
Default Configuration
﻿
﻿DDoS Protection(DDoS protection at the network layer)
﻿
﻿DDoS Protection Level﻿
Automatic protection cleansing for DDoS attacks targeting L4 services (TCP/UDP applications).
For example: 
Daily Protection: Utilize the Moderate protection level to discard traffic exhibiting clear DDoS attack characteristics. 
 Emergency recovery during attack bypass: Implement the Strict protection level to discard all traffic suspected of DDoS attacks.
Protection Level: Moderate
﻿
﻿
﻿IP Blocklist/Allowlist﻿
Discard or permit traffic from specified IP addresses.
For example: 
Internal Call Permit: Permit the internal service IP 11.11.11.11, allowing high-frequency access between services.
None
﻿
﻿
﻿Configuration Region Blocking﻿
Block client access from specified regions. 
For example:
Ban access from overseas: Discard traffic with source IPs located outside mainland China.
None
﻿
﻿
﻿Configuration Port Filtering﻿
Discard or allow traffic based on specified source/destination ports. 
For example:
Discard high-risk reflection port: Drop traffic with source port matching UDP 53, prohibiting access to private UDP protocol applications.
None
﻿
﻿
﻿Configuration Features Filtering﻿
Discard traffic containing specified data or parameters.
For example:
Discard unusually long UDP packets:  Discard UDP traffic with a length exceeding 500.
None
﻿
﻿
﻿Configuration Protocol Blocking Rule﻿
Discard traffic of specified IP protocols. 
For example:
Block external PING commands:  Configure blocking of ICMP protocol traffic.
None
﻿
﻿
﻿Configuration Connections Attack Protection﻿
Intercept abnormal TCP behaviors such as high-frequency connections and abnormal connections.
None
﻿
﻿Web Protection﻿
﻿
﻿Platform-hosted rate limiting (formerly CC Attack Defense）﻿
Mitigate HTTP/HTTPS DDoS attacks, including high-frequency access and slow request attacks.
Adaptive Frequency Control
Limit Level: Adaptive 
Loose - Disposal Method: JavaScript Challenge
Slow Attack Protection
Disabled
Intelligent Client Filtering
Disposal Method: JavaScript Challenge
﻿
﻿
﻿Managed Rules﻿
Intercept vulnerabilities targeting web applications (SQL injection, cross-site scripting, remote code execution, etc.). 
For example: 
Intercept Apache log4j vulnerabilities:  Enable rules related to log4j vulnerabilities in open-source components for interception. 
All rules are enabled for observation mode.
﻿
﻿
﻿Custom Rules﻿
Handle requests based on header content and IP. 
For example:
Hotlink Protection: Intercept requests based on Referer header matching.
Regional Blocking: Intercept requests from clients with IP matching specified regions.
IP Blocklist:  Intercept based on specified IP or IP groups.
None
﻿
﻿
﻿Rate Limiting﻿
Intercept clients accessing beyond preset access rates.
For example:
Intercept clients causing a large number of errors in a short time at the origin:  Set the rate allowed for each IP causing origin errors and intercept IP access beyond the threshold.
Intercept account ID with excessively high access frequency to a specific API: Set the frequency allowed for each account (specified account ID position) to access a specific API, intercepting account access beyond the threshold.
Intercept clients with excessively high access frequency fingerprints (JA3 fingerprints): Set the access rate for each JA3 fingerprint (i.e., TLS fingerprint) and intercept access with the same fingerprint beyond the threshold.
None
﻿
﻿
﻿Protection Exception Rules - Skip Protection Modules﻿
Skip protection rules in web protection by module.
For example:
Allow internal services:  Set the internal service IP list and specified API paths to allow clients on the list unrestricted access to that path.
None
﻿
﻿
﻿Protection Exception Rules - Skip Specified Managed Rules﻿
Skip specified managed rules. 
For example:
Allow user content uploads:  Configure business paths and false-positive rules to allow requests when parameters contain user-written content.
None
﻿
﻿Bot Management﻿
﻿
﻿Bot Intelligent Analysis﻿
Intercept bot requests based on risk levels. (Suitable for quickly enabling bot management strategies and establishing bot access profiles). 
For example:
Intercept misuse of CDN resources (scraping): Intercept malicious bot requests.
None
﻿
﻿
﻿Bot Basic Management﻿
Handle crawlers for search engines, open-source development tools, and commercial purposes. 
For example:
Allow Google search engine crawlers:  Use search engine feature rule libraries to configure allowing Google search engine crawlers.
Intercept cURL tool access: Use UA feature libraries to intercept access from web development tools.
None
﻿
﻿
﻿Client Reputation﻿
Handle requests from clients with a history of malicious behavior or high-risk characteristics based on IP threat intelligence.
For example:
Intercept VPN/proxy requests: Intercept clients identified as malicious proxies, fast-dial IPs, or proxy IP pools.
None
﻿
﻿
﻿Active Detection﻿
Intercept requests with abnormal browser runtime environments and access behavior.
For example:
Cookie Challenge: Enable cookie verification to intercept clients not supporting cookies.
Intercept automated tool access: Enable client behavior verification to identify JavaScript runtime environment anomalies and abnormal access behavior in automated tools.
None
﻿
﻿
﻿Custom Bot Rules﻿
Counteract bot tools based on the features, headers, and client IP of requests. The feature provides more disposal options for bot counteraction.
For example:
Counteract high-risk bots accessing sensitive business: Match based on access paths and client profiles, configure observation, silent, and response after waiting with certain weights.
None
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Tencent Cloud EdgeOne

Overview

Help and Support

Category	Function	Application Scenario	Default Configuration
DDoS Protection(DDoS protection at the network layer)	DDoS Protection Level	Automatic protection cleansing for DDoS attacks targeting L4 services (TCP/UDP applications). For example: Daily Protection: Utilize the `Moderate` protection level to discard traffic exhibiting clear DDoS attack characteristics. Emergency recovery during attack bypass: Implement the `Strict` protection level to discard all traffic suspected of DDoS attacks.	Protection Level: Moderate
		IP Blocklist/Allowlist	Discard or permit traffic from specified IP addresses. For example: Internal Call Permit: Permit the internal service IP `11.11.11.11`, allowing high-frequency access between services.	None
		Configuration Region Blocking	Block client access from specified regions. For example: Ban access from overseas: Discard traffic with source IPs located outside mainland China.	None
		Configuration Port Filtering	Discard or allow traffic based on specified source/destination ports. For example: Discard high-risk reflection port: Drop traffic with `source port matching UDP 53`, prohibiting access to private UDP protocol applications.	None
		Configuration Features Filtering	Discard traffic containing specified data or parameters. For example: Discard unusually long UDP packets: Discard UDP traffic with a length exceeding 500.	None
		Configuration Protocol Blocking Rule	Discard traffic of specified IP protocols. For example: Block external PING commands: Configure blocking of ICMP protocol traffic.	None
		Configuration Connections Attack Protection	Intercept abnormal TCP behaviors such as high-frequency connections and abnormal connections.	None
Web Protection	Platform-hosted rate limiting (formerly CC Attack Defense）	Mitigate HTTP/HTTPS DDoS attacks, including high-frequency access and slow request attacks.	Adaptive Frequency Control Limit Level: Adaptive Loose - Disposal Method: JavaScript Challenge Slow Attack Protection Disabled Intelligent Client Filtering Disposal Method: JavaScript Challenge
		Managed Rules	Intercept vulnerabilities targeting web applications (SQL injection, cross-site scripting, remote code execution, etc.). For example: Intercept Apache log4j vulnerabilities: Enable rules related to log4j vulnerabilities in open-source components for interception.	All rules are enabled for observation mode.
		Custom Rules	Handle requests based on header content and IP. For example: Hotlink Protection: Intercept requests based on Referer header matching. Regional Blocking: Intercept requests from clients with IP matching specified regions. IP Blocklist: Intercept based on specified IP or IP groups.	None
		Rate Limiting	Intercept clients accessing beyond preset access rates. For example: Intercept clients causing a large number of errors in a short time at the origin: Set the rate allowed for each IP causing origin errors and intercept IP access beyond the threshold. Intercept account ID with excessively high access frequency to a specific API: Set the frequency allowed for each account (specified account ID position) to access a specific API, intercepting account access beyond the threshold. Intercept clients with excessively high access frequency fingerprints (JA3 fingerprints): Set the access rate for each JA3 fingerprint (i.e., TLS fingerprint) and intercept access with the same fingerprint beyond the threshold.	None
		Protection Exception Rules - Skip Protection Modules	Skip protection rules in web protection by module. For example: Allow internal services: Set the internal service IP list and specified API paths to allow clients on the list unrestricted access to that path.	None
		Protection Exception Rules - Skip Specified Managed Rules	Skip specified managed rules. For example: Allow user content uploads: Configure business paths and false-positive rules to allow requests when parameters contain user-written content.	None
Bot Management	Bot Intelligent Analysis	Intercept bot requests based on risk levels. (Suitable for quickly enabling bot management strategies and establishing bot access profiles). For example: Intercept misuse of CDN resources (scraping): Intercept malicious bot requests.	None
		Bot Basic Management	Handle crawlers for search engines, open-source development tools, and commercial purposes. For example: Allow Google search engine crawlers: Use search engine feature rule libraries to configure allowing Google search engine crawlers. Intercept cURL tool access: Use UA feature libraries to intercept access from web development tools.	None
		Client Reputation	Handle requests from clients with a history of malicious behavior or high-risk characteristics based on IP threat intelligence. For example: Intercept VPN/proxy requests: Intercept clients identified as malicious proxies, fast-dial IPs, or proxy IP pools.	None
		Active Detection	Intercept requests with abnormal browser runtime environments and access behavior. For example: Cookie Challenge: Enable cookie verification to intercept clients not supporting cookies. Intercept automated tool access: Enable client behavior verification to identify JavaScript runtime environment anomalies and abnormal access behavior in automated tools.	None
		Custom Bot Rules	Counteract bot tools based on the features, headers, and client IP of requests. The feature provides more disposal options for bot counteraction. For example: Counteract high-risk bots accessing sensitive business: Match based on access paths and client profiles, configure observation, silent, and response after waiting with certain weights.	None