Inter.link DDoS Protection Templates – Knowledgebase

Click to Navigate Directly to Template

Base-Mitigate-0202

A balanced auto-mitigation baseline that enforces protection across TCP/UDP/ICMP floods and common application-layer abuses, with a focus on practical containment without extreme aggressiveness. It enables active session-abuse mitigation (blocking excessive idle sessions, RST churn, and duplicate ACK patterns; dropping data for closed sessions) with moderate sensitivity and short attacker block times, while applying mid-level application/HTTP anomaly detection (misused-application and HTTP fragmentation/VERB detectors) with moderate attacker IP block durations. It also includes standard volumetric thresholds, DNS/VoIP protections, and comprehensive invalid-packet hygiene, with full victim visibility and threshold-based notifications—suited for general production use where you want enforcement but still expect some traffic variability.

Base-Mitigate-0202_Drop-UDP

A variant of the Base-Mitigate-0202 auto-mitigation baseline that keeps the same balanced enforcement for TCP/session abuse, volumetric floods, and application/HTTP anomaly detection, but adds a hard UDP deny posture. In addition to the normal UDP flood and non-spoofed UDP protections, the invalid-packet policy is configured to drop all UDP packets, effectively eliminating UDP exposure (and therefore UDP-based amplification/reflection and UDP application traffic) while still retaining TCP and ICMP handling, invalid-packet sanitation, full victim reporting, and threshold-based alerting.

Base-Mitigate-0202_Drop-UDP_SYN-Force-ON

An enforcement-focused baseline that combines the balanced Base-Mitigate-0202 controls with two hardening changes: (1) SYN flood protection is forced on (always actively enforced rather than purely auto-triggered), and (2) all UDP traffic is dropped via the invalid-packet policy. This yields a TCP-centric protection stance with strong session-abuse mitigation (idle/RST/duplicate-ACK blocking and closed-session data dropping), moderate application/HTTP anomaly detection and volumetric safeguards, plus strict invalid-packet hygiene and full victim reporting with threshold alerts—intended for services that only require TCP and want maximum reduction of UDP- and SYN-based attack surface.

Base-Mitigate-0300

A high-sensitivity auto-mitigation baseline intended for active enforcement rather than observation. It enables automated blocking for TCP/session exhaustion behaviors (idle-session buildup, RST churn, duplicate ACK patterns) with moderate session-attack sensitivity and short attacker block times, and it applies aggressive application/HTTP anomaly detection (high filter sensitivity for misused-application and HTTP fragmentation/VERB abuse) with long attacker IP block times where those detectors trigger. It also includes UDP/ICMP behavioral flood detection tuned for earlier detection (lower per-sample/per-IP thresholds), plus strict invalid-packet hygiene (including dropping UDP port 80), full victim reporting, and threshold-based notifications—suited for environments that want earlier containment and are comfortable with tighter controls.

Default

A baseline, general-purpose auto-mitigation profile with broad coverage for common L3/L4 floods (TCP, UDP, ICMP) and basic L7 anomaly detectors (DNS/VoIP and HTTP fragmentation/VERB patterns), designed to trigger only on sustained, clearly abnormal traffic. Most attack types require both high volume (typically ~10k pps or large packet-count thresholds) and a minimum duration before being treated as an attack, while stateful/session protections are moderate and largely non-blocking (limited session-attack sensitivity and no automatic blocking of idle/RST/duplicate-ACK behaviors). It also applies comprehensive invalid-packet hygiene, reports all victims, and uses “as-reporting” style notifications, making it suitable as a conservative default where false positives must be minimized.

Mitigate-Anycast-Balanced-v001

An anycast-focused, auto-mitigation profile that combines high-capacity volumetric flood handling with strong stateful/session-abuse enforcement to protect distributed edges from connection and resource-exhaustion attacks. It enables blocking for excessive idle sessions, RST-driven churn, and duplicate ACK patterns, uses elevated session-attack sensitivity with aggressive attacker/victim detection, applies longer attacker block times, and drops data for closed sessions to limit backend and edge-state drain. Alongside this, it retains coverage for TCP/UDP/ICMP/DNS floods and common HTTP abuse signatures, includes robust invalid-packet validation, reports all victims, and triggers threshold-based notifications—aimed at reliable containment while still tolerating normal anycast traffic variability.

Mitigate-Anycast-Loose-v001

An anycast-oriented, auto-mitigation profile that keeps high volumetric flood thresholds while applying moderately strict session controls to contain state-exhaustion and protocol-abuse attacks without being as aggressive as a “strict” posture. It enables blocking for excessive idle sessions, RST-closed sessions, and duplicate ACK behavior with mid-range session-attack sensitivity, short attacker block times, and dropping data for closed sessions to reduce resource drain. In addition, it includes coverage for common TCP/UDP/ICMP/DNS floods and HTTP-abuse patterns, plus robust invalid-packet sanitation and full victim reporting with threshold-based alerts—aimed at protecting distributed anycast edges while preserving tolerance for normal traffic variability.

Mitigate-Anycast-Strict-v001

A strict, auto-mitigation profile designed for anycasted services where aggressive session hygiene is acceptable to protect the edge. It maintains high volumetric flood thresholds for common TCP/UDP/ICMP/DNS attacks, but applies very tight stateful/session-anomaly enforcement: high session-attack sensitivity, aggressive attacker/victim detection, long attacker block times, and active blocking of excessive idle sessions, RST-closed sessions, and duplicate ACK behavior, including dropping data for closed sessions. It also enforces robust invalid-packet sanitation and full victim visibility with threshold notifications, making it suited for environments that prefer rapid, decisive containment of low-and-slow or protocol-abuse patterns even at the risk of impacting marginal/abnormal clients.

Mitigate-CDN-Balanced-v001

A general-purpose CDN mitigation profile using auto-detection across TCP, UDP, ICMP, DNS, VoIP, and common HTTP-abuse patterns, intended to balance attack sensitivity with resilience to legitimate traffic bursts. It keeps high volumetric flood thresholds while enforcing session/behavior anomaly controls (e.g., ACK validation, session-attack heuristics, misused-application and HTTP fragmentation/VERB detections) with moderate sensitivity and short attacker blocking where applicable. It also applies comprehensive invalid-packet sanitation and full victim visibility with threshold-based notifications, making it suitable for mixed workloads where you want reliable protection without overly aggressive blocking.

Mitigate-CDN-Loose-v001

A broad, auto-mitigation profile tuned for CDN-fronted services that prioritizes availability while still detecting high-volume attacks. It applies automated protection against common TCP, UDP, ICMP, DNS, VoIP, and HTTP-layer floods using relatively high packet-rate thresholds and moderate session-anomaly sensitivity to reduce false positives. The profile includes basic invalid-packet filtering and application-level checks, reports all detected victims, and uses threshold-based alerts, making it suitable for large, burst-tolerant environments where legitimate traffic spikes are expected.

Mitigate-CDN-Strict-v001

A CDN-oriented auto-mitigation profile focused on strong, multi-layer protection against volumetric floods and common HTTP abuse patterns while keeping session-level enforcement relatively conservative. It uses high-rate thresholds for TCP/UDP/ICMP floods and enables application-layer detections (misused-application, HTTP fragmentation, excessive/multiple VERB, recursive GET variants) with short attacker block times where applicable, plus strict invalid-packet hygiene and full victim reporting with threshold notifications. The profile is “strict” mainly through broader L7 coverage and tighter fragmentation controls, rather than aggressive session blocking, making it suitable for CDN-fronted services that want robust attack filtering without heavy stateful client impact.

Mitigate-CloudHosting-Balanced-v001

An auto-mitigation profile designed for cloud-hosted services that enforces protection across common TCP, UDP, ICMP, DNS, VoIP, and HTTP attack vectors while applying strong session-abuse controls. It uses moderately high sensitivity for detecting idle-session buildup, RST churn, duplicate ACK behavior, and other state-exhaustion patterns, with extended attacker block times and aggressive victim/attacker detection to protect shared compute resources. Application-layer anomaly detectors for misused applications and HTTP fragmentation/VERB patterns are enabled with moderate thresholds, alongside comprehensive invalid-packet hygiene and full victim reporting with threshold-based alerts, making it suited for production cloud environments that require reliable protection without excessive disruption to legitimate traffic.

Mitigate-CloudHosting-Loose-v001

An auto-mitigation profile for cloud-hosted environments that maintains broad coverage for TCP, UDP, ICMP, DNS, VoIP, and HTTP attack patterns while using relaxed application-misuse detection thresholds to better tolerate diverse and bursty tenant traffic. It keeps active session-abuse protections enabled to block excessive idle sessions, RST-closed session churn, and duplicate ACK patterns, with extended attacker block times and aggressive attacker/victim identification. The profile also includes HTTP anomaly detection, invalid-packet sanitation, full victim reporting, and threshold-based notifications, providing dependable protection while accommodating varied application behavior in shared hosting environments.

Mitigate-CloudHosting-Strict-v001

An auto-mitigation profile tailored for cloud-hosted services that applies strong, state-aware protection across TCP, UDP, ICMP, DNS, VoIP, and HTTP attack vectors with tighter thresholds for abnormal traffic patterns. It enforces high-sensitivity session-abuse controls to block excessive idle sessions, RST churn, duplicate ACK behavior, and other resource-exhaustion techniques, combined with extended attacker block times and aggressive attacker/victim detection to protect shared infrastructure. Application-layer anomaly detection for misused applications, HTTP fragmentation, and excessive or malformed request patterns operates at stricter sensitivity, alongside comprehensive invalid-packet filtering and full victim reporting with threshold-based alerts, making it suitable for cloud environments requiring maximum resilience against volumetric and protocol abuse attacks.

Mitigate-DNSHosting-Balanced-v001

An auto-mitigation profile optimized for DNS hosting that combines broad L3/L4 flood protection with DNS-aware validation to reduce false positives while still reacting quickly to abuse. It enables DNS query/response verification and duplicate detection (including support for zero-question queries and limited padding), applies moderate UDP flood sensitivity with fragmentation controls, and keeps session-abuse protections at a conservative level to avoid disrupting legitimate resolver/client behavior. Comprehensive invalid-packet hygiene checks and threshold-based alerting are enabled with full victim visibility, providing balanced protection against common volumetric and protocol-based attacks targeting authoritative and recursive DNS infrastructure.

Mitigate-DNSHosting-Loose-v001

An auto-mitigation profile tailored for DNS hosting that prioritizes service continuity while still filtering clearly abusive traffic. It enables DNS-aware controls (query/response verification and duplicate detection, permitting zero-question queries and limited padding) and uses relatively permissive UDP flood and UDP fragmentation thresholds to reduce the risk of impacting legitimate resolver or client bursts. TCP flood handling remains standard, session-attack protections are conservative (no aggressive session blocking), and invalid-packet sanity checks are enabled, including dropping non-essential/unknown protocol traffic, to maintain baseline hygiene. Threshold-based alerting and full victim visibility provide monitoring without overly restrictive mitigation behavior.

Mitigate-DNSHosting-Strict-v001

A stricter auto-mitigation profile for DNS hosting that tightens UDP-based attack detection while preserving DNS protocol validation. It keeps DNS-aware checks enabled (query/response verification and duplicate detection, allowing zero-question queries and limited padding) and applies more aggressive UDP flood sensitivity with lower per-attack thresholds to react faster to volumetric or patterned UDP abuse, plus tighter UDP fragmentation tolerance. TCP flood protections remain enabled with standard duplicate controls, and comprehensive invalid-packet hygiene is enforced (dropping malformed traffic and non-essential/unknown protocols) to reduce evasions and noise. Designed for environments where earlier filtering of suspicious UDP/DNS traffic is preferred over maximum permissiveness, while still maintaining visibility and threshold-based alerting.

Mitigate-WebHosting-Balanced-v001

A balanced auto-mitigation profile tuned for web hosting that combines strong TCP/session protection with dedicated HTTP-layer anomaly detection. It applies standard SYN/SYN-ACK/ACK flood controls and adds more active session-defense behavior (blocking excessive idle sessions, RST-closed sessions, and duplicate ACK patterns, with longer attacker block times and aggressive victim/attacker detection). For L7, it enables multiple HTTP-focused detections (HTTP fragmentation and excessive/abnormal HTTP methods, including single-session and multi-verb patterns) to catch request smuggling/evasion-style traffic and abusive request behavior without being overly restrictive. UDP/DNS/ICMP protections remain enabled at moderate thresholds, invalid-packet hygiene checks are enforced, and visibility/alerting stays threshold-based with victim reporting enabled.

Mitigate-WebHosting-Loose-v001

An auto-mitigation profile for web hosting that keeps broad coverage across TCP, HTTP, UDP, DNS, and ICMP attacks, but with comparatively lighter session/behavior enforcement to reduce false positives in busy, diverse hosting environments. It enables standard flood protections (SYN/SYN-ACK/ACK, FIN/RST) and HTTP-layer detections (fragmentation and abnormal/excessive HTTP method patterns), while using moderate session-attack sensitivity, shorter attacker block times, and less aggressive victim/attacker classification. UDP/DNS/ICMP flood handling remains enabled at moderate thresholds, invalid-packet sanity checks are enforced, and the profile is set to report all victims with threshold-based alerting.

Mitigate-WebHosting-Strict-v001

A stricter auto-mitigation profile for web hosting that prioritizes rapid detection and hard enforcement against abusive TCP/session behavior and application misuse while maintaining full coverage for common L3/L4 floods and HTTP-layer anomalies. It applies high session-attack sensitivity with aggressive victim/attacker detection, drops traffic for closed sessions, and uses long attacker IP block times to quickly suppress repeat offenders. Application-misuse detection is tuned for earlier triggering (lower per-IP and sampling thresholds) to catch distributed low-rate abuse, while HTTP fragmentation and abnormal/excessive HTTP method patterns are monitored with blocking enabled. UDP/DNS/ICMP protections remain enabled with standard flood thresholds, invalid-packet hygiene checks are enforced, and alerts are threshold-based with full victim visibility.

UNDER-ATTACK-POLICY_v101

A high-aggression emergency mitigation profile intended for active DDoS situations. It force-enables key TCP protections and applies very sensitive detection across session abuse, application misuse, HTTP anomalies, and UDP/ICMP floods, with long attacker block times to quickly suppress repeat offenders. Compared to the other UNDER-ATTACK variants, this serves as the baseline aggressive profile, combining broad protocol coverage with strong but not extreme specialization toward any single attack type.

UNDER-ATTACK-POLICY_v101_AT8-max

An emergency mitigation profile derived from the base UNDER-ATTACK policy but tuned to maximize protection against session-exhaustion and connection-abuse attacks. It increases session-attack sensitivity to the highest level, lowers bad-session thresholds, and uses the longest attacker block times to rapidly isolate sources that attempt to exhaust server state. Compared to the other variants, it is the most focused on protecting backend session capacity, trading greater risk of false positives for stronger defense against slow or distributed session-based attacks.

UNDER-ATTACK-POLICY_v101-no-forceon

An aggressive mitigation profile similar in scope to the baseline UNDER-ATTACK policy but without forcing certain mitigations globally, allowing the system’s automatic detection logic to decide when protections are applied. It still uses high sensitivity for session, application, and HTTP anomaly detection with long block times and strict packet hygiene. Compared to the base profile, it is slightly less rigid in activation behavior while keeping overall protection strength comparable.

UNDER-ATTACK-POLICY_v101-no-forceOn

An aggressive mitigation profile that removes forced SYN mitigation entirely while maintaining very sensitive detection across TCP floods, session abuse, and application-layer attacks. It relies fully on automatic mitigation triggers while preserving long block times and strict invalid-packet filtering. Compared to the other UNDER-ATTACK variants, it is the least forceful in activation of SYN protection but still provides strong overall defensive coverage across protocols during active attacks.

UNDER-ATTACK-POLICY_v101-no-forceon2

An aggressive “under attack” mitigation profile that relies entirely on automatic detection across all TCP, UDP, ICMP, and HTTP protections while maintaining very high sensitivity and long attacker block times. It enforces strict session-abuse controls, early detection of misused applications and HTTP anomalies, and strong invalid-packet filtering, along with broad suppression of risky UDP traffic patterns. Compared to the other UNDER-ATTACK variants, this version keeps the same high detection sensitivity and defensive scope but avoids any forced mitigation behavior, making it the most automation-driven option while still prioritizing service availability and full attack visibility during heavy attack conditions.