Anti-DDoS:Protect website services

Applicable scope

• Anti-DDoS Pro or Anti-DDoS Premium instance: You have purchased an Anti-DDoS Pro or Anti-DDoS Premium instance based on your business needs. For more information, see Purchase an Anti-DDoS Pro or Anti-DDoS Premium instance.

• ICP filing: If you use an Anti-DDoS Pro or Anti-DDoS Premium instance deployed in the Chinese mainland, ensure that your domain has completed ICP filing.

Step 1: Add your website service

To protect your website with Anti-DDoS Pro or Anti-DDoS Premium, first add the domain name of your website and configure a traffic forwarding rule in the Anti-DDoS Pro or Anti-DDoS Premium console.

1. Log on to the Website Config page in the Anti-DDoS Proxy console.

2. In the top navigation bar, select the region of your instance.

   • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

   • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

3. On the Website Config page, click Add Website.

   Note

   You can also click Batch Import at the bottom of the page to import website configurations in batches from an XML file. For more information about the file format, see Other operations.

   1. Enter the access information for the website and click Next.

      Configuration item	Description
      Function Plan	Select the function plan of the Anti-DDoS Pro or Anti-DDoS Premium instance that you want to associate. Options: Standard and Enhanced. Note You can hover over the icon next to Function Plan to view the differences in features between the Standard and Enhanced function plans. For more information, see Differences between the Standard and Enhanced function plans.
      Instance	Select the Anti-DDoS Pro or Anti-DDoS Premium instance to associate. You can associate a domain name with up to eight instances. The instances must use the same Function Plan.
      Websites	Enter the domain name of the website that you want to protect. The domain name must meet the following requirements: The domain name can contain letters (a to z and A to Z), digits (0 to 9), and hyphens (-). The domain name must start with a letter or a digit. You can enter a wildcard domain name, such as *.aliyundoc.com. If you enter a wildcard domain name, Anti-DDoS Pro and Anti-DDoS Premium automatically matches the subdomains of the wildcard domain name. Note If both a wildcard domain name and an exact-match domain name are configured, such as *.aliyundoc.com and www.aliyundoc.com, Anti-DDoS Pro and Anti-DDoS Premium prioritizes the forwarding rules and mitigation policies that are configured for the exact-match domain name, which is www.aliyundoc.com. If you enter a first-level domain name, Anti-DDoS Pro and Anti-DDoS Premium protects only the first-level domain name. It does not protect subdomains such as second-level domains. If you want to protect a second-level domain, enter the second-level domain or a wildcard domain name. You can specify only domain names. Website IP addresses are not supported.
      Protocol Type	Select the protocol that the website supports. Options: HTTP: selected by default. HTTPS: If the website supports HTTPS encryption and authentication, select this protocol and complete the following configurations. Upload an international HTTP certificate Upload a certificate to allow Anti-DDoS Pro and Anti-DDoS Premium to scrub HTTPS service traffic. Upload: Specify Certificate Name, then paste the certificate file content to the Certificate File field, and the private key file content to the Private Key field. Note If the certificate file is in PEM, CER, or CRT format, open it in a text editor and copy the content. For other formats like PFX or P7B, convert the file to PEM format first, then copy the content. For information about how to convert the format of a certificate file, see Convert the format of a certificate or How do I convert an SSL certificate to the PEM format? If the file includes multiple certificates (like a certificate chain), concatenate their contents and paste the combined content into the Certificate File field. Select Existing Certificate: If you have applied for a certificate from Certificate Management Service (Original SSL Certificate) or have uploaded a certificate to Certificate Management Service, you can directly select the certificate. Custom TLS security policy For more information, see Configure a TLS security policy for an HTTPS certificate. TLS Versions for SSL Certificate: Select the TLS versions that the certificate that uses internationally accepted algorithms supports. Options: TLS 1.0 and later. This setting provides the best compatibility but low security.: supports TLS 1.0, TLS 1.1, and TLS 1.2. TLS 1.1 and later. This setting provides good compatibility and medium security.: supports TLS 1.1 and TLS 1.2. TLS 1.2 and later. This setting provides good compatibility and high security level.: supports TLS 1.2. You can also select Enable TLS 1.3 as needed. Cipher Suites for SSL Certificate: Select the cipher suites that the certificate that uses internationally accepted algorithms supports, or select a custom cipher suite. You can move the pointer over the icon on a cipher suite option to view the cipher suites included in the option. Enable Mutual Authentication To perform TLS mutual authentication between the client and Anti-DDoS Pro and Anti-DDoS Premium, upload the root CA certificate or intermediate CA certificate that issues the client certificate to Anti-DDoS Pro and Anti-DDoS Premium. Both CA certificates issued by Alibaba Cloud and CA certificates not issued by Alibaba Cloud are supported. Issued by Alibaba Cloud: In the Default CA Certificate drop-down list, select a CA certificate that is issued by Alibaba Cloud Certificate Management Service (Original SSL Certificate). Not Issued by Alibaba Cloud: Upload the self-signed CA certificate to Certificate Management Service (Original SSL Certificate). For more information, see Upload a certificate to a repository (upload a certificate). In the Default CA Certificate drop-down list, select the uploaded self-signed CA certificate. Enable OCSP Stapling Specifies whether to enable the Online Certificate Status Protocol (OCSP) feature. We recommend that you enable this feature. OCSP is an Internet protocol used to send a query request to the Certificate Authority (CA) that issues a server certificate to check whether the certificate is revoked. During a TLS handshake, a client must obtain both the certificate and the corresponding OCSP response. Disabled (default): The client browser sends an OCSP query to the CA. This blocks subsequent events until the client receives the OCSP response. If the network condition is poor, this may cause a long period of page loading latency and decrease HTTPS performance. Enabled: Anti-DDoS Pro and Anti-DDoS Premium performs the OCSP query and caches the query result for 3,600 seconds. When a client sends a TLS handshake request to the server, Anti-DDoS Pro and Anti-DDoS Premium sends the OCSP information of the server certificate together with the certificate chain to the client. This prevents the blocking issue caused by the client query. This process does not cause additional security issues because the OCSP response cannot be forged. SM certificate-based HTTPS Only Anti-DDoS Pro and Anti-DDoS Premium instances in the Chinese mainland support SM certificates. Only the SM2 algorithm is supported. Note Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland) is verified to process SM requests from 360 Browser and Honglianhua Browser. Allow Access Only from SM Certificate-based Clients: This switch is turned off by default. On: Only processes requests from clients with an installed SM certificate.  Note When enabled, TLS suite, mutual authentication, and OCSP stapling configurations for certificates using internationally accepted algorithms will not apply. Off: Processes requests from clients with an installed SM certificate and those with a certificate using internationally accepted algorithms. SM Certificate: You must upload an SM certificate to Certificate Management Service before selecting it. SM Cipher Suites for HTTPS Support: The following cipher suites are enabled by default and cannot be modified. ECC-SM2-SM4-CBC-SM3 ECC-SM2-SM4-GCM-SM3 ECDHE-SM2-SM4-CBC-SM3 ECDHE-SM2-SM4-GCM-SM3 Websocket: If you select this protocol, the HTTP protocol is automatically selected. You cannot select only the Websocket protocol. Websockets: If you select this protocol, the HTTPS protocol is automatically selected. You cannot select only the Websockets protocol. After you select the HTTPS protocol, you can enable the following advanced settings as needed. Enable HTTPS Redirection: This setting applies to websites that support both HTTP and HTTPS. After you enable this setting, all HTTP requests are forcibly converted to HTTPS requests and redirected to port 443 by default. Important You can enable this setting only when both the HTTP and HTTPS protocols are selected and the Websocket protocol is not selected. If you access the website over a non-standard HTTP port (other than port 80) and enable force redirect to HTTPS, the access requests are redirected to HTTPS port 443 by default. Enable HTTP Redirection of Back-to-origin Requests: If the website does not support HTTPS for back-to-origin traffic, you must enable this setting. After you enable this setting, all HTTPS requests are sent to the origin server over HTTP, and all Websockets requests are sent to the origin server over Websocket. By default, the back-to-origin port is 80. Important If you access the website over a non-standard HTTPS port (other than port 443) and enable HTTP for back-to-origin traffic, the access requests are redirected to the origin server over HTTP port 80 by default. HTTP/2 Listener: If you enable this feature, HTTP/2.0 clients can access Anti-DDoS Pro and Anti-DDoS Premium. However, Anti-DDoS Pro and Anti-DDoS Premium still uses HTTP/1.1 to send requests to the origin server. HTTP/2.0 feature specifications Idle timeout after a connection is closed (http2_idle_timeout): 120s Maximum number of requests per connection (http2_max_requests): 1000 Maximum number of concurrent streams per connection (http2_max_concurrent_streams): 4 Maximum size of the entire request header list after HPACK decompression (http2_max_header_size): 256K Maximum size of an HPACK-compressed request header field (http2_max_field_size): 64K
      Server Address	Select the address type of the origin server and enter the address of the origin server. Note The origin server can be an Alibaba Cloud service or a service that is not hosted on Alibaba Cloud. If the origin server is an Alibaba Cloud service, make sure that the service belongs to your Alibaba Cloud account. If the service belongs to another Alibaba Cloud account, contact your business manager before you add the service. Origin IP Address: the IP address of the origin server. You can enter up to 20 origin IP addresses. Separate multiple IP addresses with commas (,). If the origin server is an ECS instance on Alibaba Cloud, enter the public IP address of the ECS instance. If an SLB instance is deployed before the ECS instance, enter the public IP address of the SLB instance. If the origin server is in a data center that is not deployed on Alibaba Cloud or is hosted on another cloud service provider, you can run the ping domain name command to query the public IP address to which the domain name is resolved. Then, enter the obtained public IP address. Origin Domain Name: This option is suitable for scenarios in which other proxy services, such as Web Application Firewall (WAF), are deployed between the origin server and Anti-DDoS Pro and Anti-DDoS Premium. The value of this parameter indicates the redirect address of the proxy service. You can enter up to 10 origin domain names. Separate multiple domain names with line breaks. For example, to deploy WAF after you deploy an Anti-DDoS Pro or Anti-DDoS Premium instance to improve application security, you can select Origin Domain Name and enter the CNAME of WAF. For more information, see Improve website protection by deploying Anti-DDoS Pro or Anti-DDoS Premium together with WAF. Important If you set Origin Domain Name to the default public endpoint of an OSS bucket, you must attach a custom domain name to the bucket. For more information, see Attach a custom domain name.
      Server Port	Based on the Protocol Type, set the port on which the origin server provides the corresponding service. The default port for the HTTP and Websocket protocols is 80. The default port for the HTTPS, HTTP2, and Websockets protocols is 443. You can specify custom server ports. Separate multiple ports with commas (,). The following limits apply: The custom ports must be within the allowed port range. HTTP protocol port range: 80 to 65535. HTTPS protocol port range: 80 to 65535. The total number of custom ports for all website services that are protected by the Anti-DDoS Pro or Anti-DDoS Premium instance cannot exceed 10. This includes custom ports for different protocols. For example, you have two websites, A and B. Website A provides HTTP services and Website B provides HTTPS services. If you specify custom HTTP ports 80 and 8080 in the configuration of Website A, you can specify a maximum of eight different custom HTTPS ports in the configuration of Website B.
      CNAME Reuse	This parameter is supported only by Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland). Select whether to enable CNAME reuse. This feature is suitable for scenarios in which multiple website services are hosted on the same server. After you enable CNAME reuse, you need to only point the DNS records of multiple domain names on the same server to the same CNAME of the Anti-DDoS Pro or Anti-DDoS Premium instance. This way, you can add multiple domain names to Anti-DDoS Pro and Anti-DDoS Premium without the need to add a website configuration for each domain name. For more information, see CNAME reuse.

   2. Configure the forwarding settings and click Next.

      Configuration item	Description
      Back-to-origin Scheduling Algorithm	This parameter is required if you have multiple origin server addresses (origin IP addresses or origin domain names). You can change the load balancing algorithm or set weights for different servers. Round-robin (default): All requests are sequentially distributed to all server addresses. By default, all server addresses have the same weight. You can change the server weights. The greater the weight of a server, the higher the probability that requests are forwarded to the server. This algorithm is suitable for scenarios where multiple origin servers are used and an even load distribution across origin servers is required. IP hash: You can set an IP hash and weights for servers. The IP hash algorithm ensures that requests from the same client are forwarded to the same server for a period of time. This ensures session consistency. In weight mode, weights are allocated based on the processing capabilities of servers. This ensures that servers with higher performance process more requests and improves resource utilization. This algorithm is suitable for scenarios where user session consistency must be maintained. In extreme cases, the load may be imbalanced. Least time: The intelligent DNS resolution capability and the least time back-to-origin algorithm ensure the lowest latency for service traffic across the entire link from the protection node to the origin server. Retry Back-to-origin Requests: When a resource requested by Anti-DDoS Pro and Anti-DDoS Premium is not found on the cache server, the cache server attempts to retrieve the resource from an upper-level cache server or the origin server. Note You can set the maximum number of back-to-origin retries for each origin server. The default value is 3.
      Traffic Marking	Originating Port The name of the HTTP header that contains the originating port of the client. In most cases, the X-Forwarded-ClientSrcPort header is used to record the originating port of the client. If you use a custom header to record the originating port of the client, specify the custom header for Originating Port. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating port of the client. The steps to obtain the originating port of the client are similar to the steps to obtain the originating IP address of the client. For more information, see Obtain the originating IP addresses of requests. Originating IP Address The name of the HTTP header that contains the originating IP address of the client. In most cases, the X-Forwarded-For header is used to record the originating IP address of the client. If you use a custom header to record the originating IP address of the client, specify the custom header for Originating IP Address. After Anti-DDoS Proxy forwards back-to-origin requests to your origin server, your origin server parses the custom header to obtain the originating IP address of the client. Custom Header You can add custom HTTP headers to requests that pass Anti-DDoS Proxy to mark the requests. To add custom HTTP headers, specify header names and values. After you create custom headers, Anti-DDoS Proxy adds the custom headers to the back-to-origin requests. This way, the backend servers can perform statistical analysis on the back-to-origin requests. Do not use the following default headers as custom headers: X-Forwarded-ClientSrcPort: This header is used to obtain the originating ports of clients that access Anti-DDoS Proxy (a Layer 7 proxy). X-Forwarded-ProxyPort: This header is used to obtain the ports of listeners that access Anti-DDoS Proxy (a Layer 7 proxy). X-Forwarded-For: This header is used to obtain the originating IP addresses of clients that access Anti-DDoS Proxy (a Layer 7 proxy). Do not use standard HTTP headers (such as Host, User-Agent, Connection, and Upgrade) or widely-used custom HTTP headers (such as X-Real-IP, X-True-IP, X-Client-IP, Web-Server-Type, WL-Proxy-Client-IP, EagleEye-RPCID, EagleEye-TraceID, X-Forwarded-Cluster, and X-Forwarded-Proto). If you use the above headers, the original headers are overwritten. You can add up to five custom HTTP headers.
      Cookie Settings	Enabling status This feature is enabled by default. When enabled, Anti-DDoS Pro and Anti-DDoS Premium inserts a cookie into the client, such as a browser, to differentiate clients or obtain client fingerprints. For more information, see Configure CC security protection. Important To prevent Anti-DDoS Pro and Anti-DDoS Premium from inserting a cookie into your service, you can disable this feature. However, if you disable this feature, Anti-DDoS Pro and Anti-DDoS Premium cannot use the CC security protection policy module to proactively detect and defend against CC attacks. Secure attribute This feature is disabled by default. If you enable this feature, the cookie is sent only over HTTPS connections, not over HTTP connections. This helps protect the cookie from being stolen by attackers. We recommend that you enable this feature when your website service supports only HTTPS connections.
      Other Settings	Configure New Connection Timeout Period: When Anti-DDoS Pro and Anti-DDoS Premium attempts to establish a connection to the origin server, the connection is considered to have failed if it is not established within this period. You can set this parameter to a value from 1 to 10 seconds. Configure Read Connection Timeout Period: After Anti-DDoS Pro and Anti-DDoS Premium establishes a connection and sends a read request to the origin server, this is the maximum amount of time that Anti-DDoS Pro and Anti-DDoS Premium waits for a response from the origin server. You can set this parameter to a value from 10 to 300 seconds. Configure Write Connection Timeout Period: After data is sent from Anti-DDoS Pro and Anti-DDoS Premium and before the origin server starts to process the data, this is the amount of time that Anti-DDoS Pro and Anti-DDoS Premium waits. The write request is considered to have failed if Anti-DDoS Pro and Anti-DDoS Premium has not sent all data to the origin server or the origin server has not started to process the data within this period. You can set this parameter to a value from 10 to 300 seconds. Back-to-origin Persistent Connection: This feature keeps a TCP connection between the cache server and the origin server active for a period of time instead of closing the connection after each request is complete. After you enable this feature, the time and resources that are required to establish connections are reduced, and the request processing efficiency and speed are improved. Requests Reusing Persistent Connections: the number of HTTP requests that can be sent over a TCP connection that is established between Anti-DDoS Pro and Anti-DDoS Premium and the origin server. This reduces the latency and resource consumption that are caused by frequent connection establishment and closure. You can set this parameter to a value from 10 to 1000. We recommend that you set this parameter to a value that is less than or equal to the number of requests that can reuse a persistent connection on the backend origin server, such as a WAF or SLB instance. This prevents service interruptions that are caused by the closure of persistent connections. Timeout Period of Idle Persistent Connections: the maximum amount of time that a persistent TCP connection established between Anti-DDoS Pro and Anti-DDoS Premium and the origin server can remain open in the connection pool of Anti-DDoS Pro and Anti-DDoS Premium after no data is transmitted. If no new requests are received during this period, the connection is closed to release system resources. You can set this parameter to a value from 10 to 30 seconds. We recommend that you set this parameter to a value that is less than or equal to the timeout period that is configured on the backend origin server, such as a WAF or SLB instance. This prevents service interruptions that are caused by the closure of persistent connections. Upper Limit for HTTP/2 Streams: This parameter is available only when HTTP/2 is enabled. It specifies the maximum number of concurrent streams that are allowed between the client and Anti-DDoS Pro and Anti-DDoS Premium. You can set this parameter to a value from 16 to 32. If you require a higher value, contact your business manager.

Step 2: Switch website traffic to Anti-DDoS Pro or Anti-DDoS Premium

Website traffic must first pass through Anti-DDoS Pro or Anti-DDoS Premium for scrubbing before being forwarded to the origin server. This enables Anti-DDoS Pro or Anti-DDoS Premium to protect your website against DDoS attacks.

1. Allow back-to-origin IP addresses: In your origin server's security policies (such as firewall or security group rules), allow the back-to-origin IP address ranges of Anti-DDoS Pro or Anti-DDoS Premium (add them to the whitelist). This prevents legitimate traffic forwarded by Anti-DDoS Pro or Anti-DDoS Premium from being blocked. For instructions, see Allow back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium.

2. Verify configuration locally: Before switching DNS resolution, verify that the forwarding configuration works as expected by modifying your local hosts file or similar methods. This helps avoid service interruptions. For instructions, see Verify traffic forwarding settings on a local machine.

3. Switch DNS resolution: After successful local verification, update your website's DNS record to point to the CNAME address provided by Anti-DDoS Pro or Anti-DDoS Premium. This officially routes your website traffic through Anti-DDoS Pro or Anti-DDoS Premium for protection. For instructions, see Resolve your website domain name to Anti-DDoS Pro or Anti-DDoS Premium using a CNAME or IP address.

Step 3: Configure mitigation policies

After adding your website, Anti-DDoS Pro or Anti-DDoS Premium enables Anti-DDoS Global Mitigation Policy, Intelligent Protection, and Frequency Control by default. You can also enable additional protection features or modify protection rules on the Protection for Website Services tab.

1. On the Website Config page, find the target domain name and click Actions > Mitigation Settings.

2. On the Protection for Website Services tab, create a mitigation policy for the target domain name.

   Configuration Item	Description
   Intelligent Protection	Enabled by default. Intelligent Protection uses an intelligent and big data-based analysis engine to learn traffic patterns, detect and block new types of HTTP flood attacks, and dynamically adjust policies to block malicious requests. You can manually change the protection mode and level. For more information, see Use the intelligent protection feature.
   Anti-DDoS Global Mitigation Policy	Enabled by default. Anti-DDoS Pro or Anti-DDoS Premium provides three built-in global mitigation policies classified by traffic scrubbing intensity. These policies help you respond to volumetric attacks immediately and improve response timeliness. For more information, see Configure the global mitigation policy.
   Blacklist and Whitelist	After enabling this policy, requests from IP addresses or CIDR blocks in the blacklist are blocked, and requests from IP addresses or CIDR blocks in the whitelist are allowed without filtering by any mitigation policy. For more information, see Configure blacklists and whitelists for domain names.
   Location Blacklist	Block all website access requests from IP addresses in specified locations. For more information, see Configure a location blacklist for a domain name.
   Accurate Access Control	Configure custom access control rules to filter requests based on commonly used HTTP fields such as IP, URI, Referer, User-Agent, and parameters. You can allow, block, or verify requests that match the rules. For more information, see Configure accurate access control rules.
   Frequency Control	Enabled by default. Restrict the frequency of access from a single source IP address to your website. Frequency Control takes effect immediately after it is enabled. By default, the Normal mode is used to protect your website against common HTTP flood attacks. You can manually change the protection mode and create custom rules to reinforce protection. For more information, see Configure frequency control.

Step 4: View protection data

After adding your website to Anti-DDoS Pro or Anti-DDoS Premium, use the security reports and log features in the Anti-DDoS Pro or Anti-DDoS Premium console to view protection data.

1. On the Security Overview page, view statistics for the instance and domain name, and details of DDoS attacks. For more information, see Security Overview.

2. On the Operation Logs page, view important operation records. For more information, see Query operation logs.

3. On the Log Analysis page, view logs for your website. For more information, see Use the Log Analysis feature.

   Note

   The log analysis feature is a value-added service. To use this service, you must purchase and enable it. After enabling log analysis, Alibaba Cloud Log Service collects and maintains logs for website access and HTTP flood attacks. You can search and analyze log data in real time and view results on dashboards. For more information, see What is Log Service?.

FAQ

• After adding my website to Anti-DDoS Pro or Anti-DDoS Premium, users report login failures or session loss.

  This issue is likely caused by the cookie insertion feature of Anti-DDoS Pro or Anti-DDoS Premium, which is used for HTTP flood protection. Try disabling the Delivery Status switch in Forwarding Settings > Cookie Settings.

  Warning

  Note that disabling this feature affects the effectiveness of some HTTP flood protection rules.

• I just purchased an instance. Is my website protected now?

  No. Purchasing an instance is only the first step. You must complete the Add Website configuration in the console and update your domain's DNS record to point to the CNAME address provided by Anti-DDoS Pro or Anti-DDoS Premium. Your website traffic is protected only after the DNS change takes effect.