After you purchase an Anti-DDoS Origin instance, you must add your asset that is assigned a public IP address to the instance for protection. This way, Anti-DDoS Origin provides the default mitigation capability for the asset. If the protected project encounters cross-border DDoS attacks and your service does not involve cross-border traffic, you can enable cross-border traffic blocking to quickly block cross-border traffic. This topic describes how to add an object for protection and enable cross-border traffic blocking for the protected object.
Add an object for protection
If you use an Anti-DDoS Origin instance for the first time, you must follow the instructions that are provided on the page to complete the authorization for the assets within your Alibaba Cloud account.
Scenario 1: Add an object to an Anti-DDoS Origin 1.0 (Subscription) instance
The instance can only be an Anti-DDoS Origin Enterprise instance and protect an asset of a regular Alibaba Cloud service.
Log on to the Traffic Security console.
In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.
In the left-side navigation pane, choose .
On the Protected Objects page, select the instance that you purchased and click Add Object for Protection.
In the Add Object for Protection dialog box, click the Add Asset or Add Manually tab and add an asset for protection. Then, click Confirm.
Add Asset: Select an asset that belongs to the current Alibaba Cloud account.
Add Manually: Enter the public IP address of the asset that belongs to the current Alibaba Cloud account.
Scenario 2: Add an object to an Anti-DDoS Origin 2.0 (Subscription) instance
The instance can be an Anti-DDoS Origin Enterprise instance or an Anti-DDoS Origin instance of Inclusive Edition for Small and Medium Enterprises and protect an asset of a regular Alibaba Cloud service.
Log on to the Traffic Security console.
In the top navigation bar, select the resource group to which the instance belongs and All Regions.
In the left-side navigation pane, choose .
On the Protected Objects page, select the instance that you purchased and click Add Object for Protection.
In the Add Object for Protection dialog box, click the Add Asset or Add Manually tab and add an asset for protection. Then, click Confirm.
Add Asset: Select an asset that belongs to the current Alibaba Cloud account.
Add Manually: Enter the public IP address of the asset that belongs to the current Alibaba Cloud account.
Scenario 3: Add an object to an Anti-DDoS Origin 2.0 (Pay-as-you-go) instance
The instance can protect an asset of a regular Alibaba Cloud service or an elastic IP address (EIP) with Anti-DDoS (Enhanced) enabled.
Asset of a regular Alibaba Cloud service: You can perform the following operations to add the asset to the instance.
EIP with Anti-DDoS (Enhanced) enabled: After you purchase an EIP with Anti-DDoS (Enhanced) enabled, the EIP with Anti-DDoS (Enhanced) enabled is automatically added for protection. You do not need to manually add the EIP with Anti-DDoS (Enhanced) enabled. You can view the purchased EIP with Anti-DDoS (Enhanced) enabled on the EIP with Anti-DDoS (Enhanced) Enabled tab of the Protected Objects page.
Log on to the Traffic Security console.
In the top navigation bar, select the resource group to which the instance belongs and All Regions.
In the left-side navigation pane, choose .
On the Protected Objects page, select the instance that you purchased and click Add Object for Protection.
In the Add Object for Protection dialog box, click the Add Asset or Add Manually tab and add an asset for protection. Then, click Confirm.
Add Asset: Select an asset that belongs to the current Alibaba Cloud account.
Add Manually: Enter the public IP address of the asset that belongs to the current Alibaba Cloud account.
Scenario 4: Add an asset of a member for protection after you enable the multi-account management feature
If your Alibaba Cloud account has the multi-account management feature enabled and is the management account, you can add assets of members for protection. For more information, see Use the multi-account management feature.
You can enable the multi-account management feature only for Anti-DDoS Origin 2.0 (Subscription) Enterprise instances and Anti-DDoS Origin 2.0 (Pay-as-you-go) instances.
Asset of a regular Alibaba Cloud service: You can perform the following operations to add the asset to the instance.
EIP with Anti-DDoS (Enhanced) enabled: After the multi-account management feature is enabled, an EIP with Anti-DDoS (Enhanced) enabled that is purchased by a member is automatically added for protection. You do not need to manually add the EIP with Anti-DDoS (Enhanced) enabled. You can view the purchased EIP with Anti-DDoS (Enhanced) enabled on the EIP with Anti-DDoS (Enhanced) Enabled tab of the Protected Objects page.
Log on to the Traffic Security console.
In the top navigation bar, select the resource group to which the instance belongs and All Regions.
In the left-side navigation pane, choose .
On the Protected Objects page, select the instance that you purchased and click Add Object for Protection.
In the Add Object for Protection dialog box, click the Add Assets of Members and click Confirm.
Enable cross-border traffic blocking for a protected object
The cross-border traffic blocking mitigation policy has a validity period and can be used only 10 times per month. We recommend that you enable this type of mitigation policy when a DDoS attack occurs.
The cross-border traffic blocking mitigation policy discards all cross-border service traffic within a specified blocking period. This policy is suitable for scenarios in which your service does not involve cross-border traffic. The cross-border traffic blocking mitigation policy typically discards traffic from specific regions based on the location of the attack source by using core routers in the backbone network of an Internet service provider (ISP).
If the protected asset resides in the Chinese mainland, the cross-border traffic blocking mitigation policy blocks all traffic from outside the Chinese mainland.
If the protected asset resides outside the Chinese mainland, the cross-border traffic blocking mitigation policy blocks all traffic from the Chinese mainland.
If your asset receives DDoS attacks, you can log on to the Traffic Security console and view the details of the attack on the Attack Analysis page. If the attack traffic comes from cross-border IP addresses, you can enable the cross-border traffic blocking mitigation policy for the asset. After the blocking period that you specify ends, the policy automatically stops blocking cross-border traffic. If you no longer want to block cross-border traffic, you can manually disable cross-border traffic blocking before the blocking period ends.
Log on to the Traffic Security console.
In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.
Anti-DDoS Origin 1.0 (Subscription) instance: Select the region in which the instance resides.
Anti-DDoS Origin 2.0 (Subscription) instance and Anti-DDoS Origin 2.0 (Pay-as-you-go) instance: Select All Regions.
In the left-side navigation pane, choose .
Select the required instance, find the IP address of the asset that you want to manage, turn on the switch in the Cross-Border Traffic Blocking column, and configure the blocking period.
NoteThe blocking period can be 30 minutes to 1 day. You cannot directly change the blocking period after your configure it. If you want to change the blocking period, you must disable cross-border traffic blocking and enable it again.
You can view the Start Time and End Time that you specify for an asset in the asset list. After the blocking period ends, cross-border traffic blocking is automatically disabled and the switch in the Cross-Border Traffic Blocking column is turned off.
Manage a protected object
View the details of a protected object
Log on to the Traffic Security console.
In the top navigation bar, select the resource group to which the instance belongs and the region in which the instance resides.
Anti-DDoS Origin 1.0 (Subscription) instance: Select the region in which the instance resides.
Anti-DDoS Origin 2.0 (Subscription) instance and Anti-DDoS Origin 2.0 (Pay-as-you-go) instance: Select All Regions.
In the left-side navigation pane, choose .
On the Protected Objects page, select the instance that you want to manage. Then, you can view the mitigation settings of the assets that are protected by the instance.
Assets that are assigned public IP addresses and WAF instances
Column
Description
IP
The asset that is protected by the instance.
Owner Account of Asset
The Alibaba Cloud account to which the asset belongs. This column is displayed only when the current Alibaba Cloud account has the multi-account management feature enabled and is the management account, and you purchase an Anti-DDoS Origin 2.0 Enterprise instance.
Traffic Scrubbing Threshold
The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and pps. For more information, see Configure a traffic scrubbing threshold.
Asset Region
The region in which the asset resides.
Asset Type
The type of the asset.
Status
The security status of the asset.
Normal.
Blackhole Filtering Triggered. You can manually deactivate blackhole filtering. To deactivate blackhole filtering, click Deactivate Blackhole Filtering in the Actions column. In the Deactivate Blackhole Filtering message, view the remaining number of times that you can deactivate blackhole filtering and click OK. You can also view the blackhole filtering events. For more information, see View information about blackhole filtering events.
Mitigation Policy
The mitigation policy that is attached to the asset.
If Default is displayed in this column, no mitigation policies are attached to the asset. The default mitigation capability of the Anti-DDoS Origin is provided for the asset. If a custom mitigation policy is used, you can click the policy to go to the Mitigation Settings page to view the details of the policy.
Cross-Border Traffic Blocking
Indicates whether cross-border traffic blocking is enabled.
Actions
Delete: Remove the asset.
Deactivate Blackhole Filtering: Deactivate blackhole filtering. This operation is supported only when the asset is in the Blackhole Filtering Triggered state.
View Applied Policy: View the details of the mitigation policy that is attached to the asset.
EIPs with Anti-DDoS (Enhanced) enabled
Column
Description
IP
The EIP with Anti-DDoS (Enhanced) enabled.
Owner Account of Asset
The Alibaba Cloud account to which the asset belongs. This column is displayed only when the current Alibaba Cloud account has the multi-account management feature enabled and is the management account.
Traffic Scrubbing Threshold
The minimum bandwidth that must be reached before traffic scrubbing is triggered. The bandwidth is measured in Mbit/s and pps. For more information, see Configure a traffic scrubbing threshold.
Asset Region
The region in which the EIP with Anti-DDoS (Enhanced) enabled resides.
Asset Type
The value is fixed as EIP with Anti-DDoS (Enhanced) Enabled.
Ports
The number of ports for which port-specific mitigation policies are configured. You can click the icon to the left of the EIP with Anti-DDoS (Enhanced) enabled to view the ports to which port-specific mitigation policies are attached.
Status
The security status of the EIP with Anti-DDoS (Enhanced) enabled.
Normal.
Blackhole Filtering Triggered. You can manually deactivate blackhole filtering. To deactivate blackhole filtering, click Deactivate Blackhole Filtering in the Actions column. In the Deactivate Blackhole Filtering message, view the remaining number of times that you can deactivate blackhole filtering and click OK. You can also view the blackhole filtering events. For more information, see View information about blackhole filtering events.
Mitigation Policy
The mitigation policy that is attached to the EIP with Anti-DDoS (Enhanced) enabled.
If Default is displayed in this column, no mitigation policies are attached to the EIP with Anti-DDoS (Enhanced Edition) enabled. The default mitigation capability of the Anti-DDoS Origin is provided for the asset. If a custom mitigation policy is used, you can click the policy to go to the Mitigation Settings page to view the details of the policy.
Cross-Border Traffic Blocking
Indicates whether cross-border traffic blocking is enabled.
Actions
Add Port: Add a port.
Deactivate Blackhole Filtering: Deactivate blackhole filtering. This operation is supported only when the EIP with Anti-DDoS (Enhanced) enabled is in the Blackhole Filtering Triggered state.
View Applied Policy: View the details of the mitigation policy that is attached to the EIP with Anti-DDoS (Enhanced) enabled.
Remove a protected object
On the Protected Objects page, select the instance that you want to manage.
In the asset list, find the asset that you want to manage and click Delete in the Actions column.
In the Delete Protected Object message, view the prompt and click OK.
FAQ
References
After an asset is added, the Mitigation Policy column displays Default, which indicates that the default mitigation capability of Anti-DDoS Origin is provided for the asset. If you want to allow or deny service traffic that has specific characteristics, you can create a custom mitigation policy and attach the policy to the asset. For more information, see Configure IP-specific mitigation policies and Configure port-specific mitigation policies.
WarningWhen you attach a port-specific mitigation policy to a port, a transient connection that lasts a few seconds occurs on your TCP-based services. We recommend that you attach a port-specific mitigation policy to a port during off-peak hours.
Assets of regular Alibaba Cloud services support only IP-specific mitigation policies. EIPs with Anti-DDoS (Enhanced) enabled support both IP-specific and port-specific mitigation policies. If you configure both IP-specific and port-specific mitigation policies, IP-specific mitigation policies have a higher priority.
For more information about setting scrubbing threshold for assets, see Configure a traffic scrubbing threshold.