Object Storage Service (OSS) DDoS protection is a proxy-based attack mitigation service that integrates OSS with Anti-DDoS Pro. When a bucket for which OSS DDoS protection is enabled suffers a DDoS attack, OSS DDoS protection diverts incoming traffic to an Anti-DDoS instance for scrubbing and then redirects normal traffic to the bucket. This ensures the continuity of your business in the event of DDoS attacks.
Scenarios
DDoS attacks have been one of the most harmful attacks against enterprise business in recent years. When an enterprise suffers a DDoS attack, its business may be interrupted within seconds. This affects business operations, causes damage to corporate identity and financial interests, and leads to customer attrition.
To mitigate these problems, OSS is integrated with Anti-DDoS Pro to support Tbit/s-level DDoS attack mitigation, millions of queries per second (QPS), and switchovers from Anti-DDoS Origin to Anti-DDoS Pro within a few seconds. These capabilities can protect your business from attacks, such as Tbit/s-level DDoS attacks, volumetric Challenge Collapsar (CC) attacks, SYN flood, ACK flood, Internet Control Message Protocol (ICMP) flood, UDP flood, NTP flood, Simple Service Discovery Protocol (SSDP) flood, Domain Name System (DNS) flood, and HTTP flood. This ensures business continuity.
Usage notes
OSS DDoS protection does not handle small-volume fraudulent traffic in the form of normal requests, such as hundreds of MB of fraudulent traffic. We recommend that you configure permission control, such as policies and access control lists (ACLs) or configure Web Application Firewall (WAF) protection policies, to prevent the issue. For more information, see How do I prevent unauthorized access to OSS?
How OSS DDoS protection works
The following figure shows how OSS DDoS protection works.
By default, OSS uses Anti-DDoS Origin to protect your bucket. For more information, see What is an Anti-DDoS Origin paid edition? However, if the attack frequency exceeds the protection threshold of Anti-DDoS Origin, Anti-DDoS Origin cannot provide effective attack mitigation and your bucket may become inaccessible.
After you enable OSS DDoS protection, when the attack frequency exceeds the protection threshold of Anti-DDoS Origin, OSS diverts all incoming traffic to an Anti-DDoS Pro instance. Malicious traffic is scrubbed in the scrubbing center of Anti-DDoS Pro. Only legitimate traffic is forwarded to the requested bucket by using forwarding ports. This ensures normal access to the bucket regardless of whether the bucket is under attack.
After the attacks stop, OSS switches back to using Anti-DDoS Origin for bucket protection.
Limits
OSS DDoS protection is supported in the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Shenzhen), and China (Hong Kong).
OSS DDoS protection can protect access by using only the public endpoints of buckets, such as
oss-cn-hangzhou.aliyuncs.com
. OSS Anti-DDoS Protection cannot protect access by using the following endpoints:Acceleration endpoints include the global acceleration endpoint (
oss-accelerate.aliyuncs.com
) and the acceleration endpoint of regions outside the Chinese mainland (oss-accelerate-overseas.aliyuncs.com
).Access point endpoints, such as
ap-01-3b00521f653d2b3223680ec39dbbe2****-ossalias.oss-cn-hangzhou.aliyuncs.com
.Object FC Access Point endpoints, such as
fc-ap-01-3b00521f653d2b3223680ec39dbbe2****-opapalias.oss-cn-hangzhou.aliyuncs.com
).Endpoints accessed over IPv6, such as
cn-hangzhou.oss.aliyuncs.com
.Amazon Simple Storage Service (S3) endpoints, such as
s3.oss-cn-hongkong.aliyuncs.com
.
An Anti-DDoS instance must be retained for at least 7 days after the instance is created. If the instance is deleted within 7 days (168 hours), you are charged basic resource fees for the remaining duration of the Anti-DDoS instance that is released within the minimum usage duration. For more information, see OSS DDoS protection fees.
You can create only one Anti-DDoS instance in a region. You can attach up to 10 buckets to each instance in the same region.
After you attach a bucket to the instance, you cannot preview the resources in the bucket by using browsers. In addition, OSS does not protect the custom domain names mapped to the bucket by default. Therefore, when the bucket is under attack, you cannot access the bucket by using the custom domain names. If you want to access a bucket by using a custom domain name when the bucket is under attack, add the custom domain name in the OSS console. You can add up to five custom domain names for each bucket.
If a custom domain name (such as
www.example.com
) of the bucket that you want to protect matches an accurate domain name (such aswww.example.com
) or a wildcard domain name (such as*.example.com
) that is specified in a forwarding rule of the instance, you must go to the Anti-DDoS Pro console to unbind the accurate domain name or the wildcard domain name. Otherwise, when the bucket is under attack, you cannot access the bucket by using the custom domain name.For more information about forwarding rules, see Add one or more websites.
Use the OSS console
Create an Anti-DDoS instance.
Log on to the OSS console.
In the left-side navigation pane, click .
Optional. If you use Anti-DDoS Pro for the first time, click Activate Now on the Anti-DDoS Pro page.
On the Anti-DDoS Pro page, click Create Anti-DDoS Instance. In the Create Anti-DDoS Instance dialog box, select "I understand the above information and want to enable the feature." and a region from the Region drop-down list.
Click OK.
Attach a bucket to the Anti-DDoS instance.
On the Anti-DDoS Pro page, click View and Attach Buckets in the Actions column of the instance to which you want to attach a bucket.
In the View and Attach Buckets panel, click Attach Buckets.
In the Attach Buckets dialog box, select a bucket that you want to attach from the Bucket drop-down list.
Buckets to which Anti-DDoS instances are attached are not displayed in the Bucket drop-down list.
Click OK.
After the bucket is attached to the Anti-DDoS instance, the bucket enters the Initializing state. When the bucket enters the Defending state, the Anti-DDoS instance starts to protect the bucket.
If you want to protect a custom domain name, add the custom domain name to the protection list of the Anti-DDoS instance.
ImportantBy default, OSS does not protect custom domain names that are mapped to a bucket. When the bucket is under attack, you cannot access the bucket by using the custom domain names. If you want to access a bucket by using the custom domain names that are mapped to the bucket when the bucket is under attack, add the custom domain names to the protection lists of Anti-DDoS instances in the OSS console. You can add up to five custom domain names for each bucket to the protection list of an Anti-DDoS instance and the five custom domain names belong to a maximum of four sites. For example,
a.mycname.com
andb.mycname.com
belong to the same site andc.othercname.com
is a different site.If no custom domain names are mapped to a bucket, you need to map a custom domain name to the bucket. For more information, see Map custom domain names.
If a custom domain name is mapped to the bucket, add the custom domain name by performing the following steps:
On the right side of the bucket attached to the instance, click View and Attach Buckets in the Operations column. In the View and Attach Buckets panel, click Modify Custom Domain Name.
Select the custom domain name that you want to add.
Click OK.
Then, you can access the bucket by using the custom domain name when the bucket is under attack.