All Products
Search

This Product

    Anti-DDoS:Overview

    Document Center

    Anti-DDoS:Overview

    Last Updated:Nov 08, 2024

    Anti-DDoS Diversion offers a solution to protect servers in an Internet Data Center (IDC) outside the Chinese mainland from DDoS attacks. It reroutes inbound traffic to the Alibaba Cloud traffic scrubbing center, where malicious traffic is intelligently filtered out. The legitimate traffic that has been filtered is then reinjected into the network. This topic provides an overview of Anti-DDoS Diversion and explains how it safeguards IDC servers.

    Introduction

    Anti-DDoS Diversion can protect IDC servers deployed on-premises or in the cloud outside the Chinese mainland. It enables DDoS protection for public Classless Inter-Domain Routing (CIDR) blocks to mitigate common network and transport layer DDoS attacks without altering the original IP addresses or network architecture. With mitigation capabilities at the Tbit/s level, Anti-DDoS Diversion is well-suited for protecting on-premises servers and small Internet service providers (ISPs) outside the Chinese mainland.

    Anti-DDoS Diversion has four key components, namely attack detection, traffic diversion, traffic reinjection, and mitigation reports, which are detailed as follows:

    • Attack detection

      • Detected by customer

        When the normal operation of an IDC is disrupted, your O&M team will diagnose and analyze the attack patterns, such as a sudden influx of traffic from numerous IPs or a spike in specific packet types, to confirm a DDoS attack. Following an attack, the O&M team should manually initiate Anti-DDoS Diversion through the traffic security console or by calling the API.

      • Detected by Anti-DDoS Diversion instance

        The Anti-DDoS Diversion instance actively monitors business traffic using NetFlow data provided by you. The service is automatically triggered when traffic exceeds the preset threshold. This detection method is exclusive to IDCs on Alibaba Cloud and is only available under specific protocols. Therefore, you should contact Alibaba Cloud technical support before usage.

        Note

        NetFlow data sent to the Anti-DDoS Diversion data center must be formatted correctly by your routers and should include the following items: source and destination IP addresses, destination ports, protocol type, and packet and byte numbers.

    • Traffic diversion

      In the event of an attack, the traffic scrubbing center advertises Border Gateway Protocol (BGP) updates to global carriers, rerouting all inbound traffic destined for the protected CIDR block to the scrubbing center for DDoS mitigation.

    • Traffic reinjection

      After the Alibaba Cloud traffic scrubbing center has scrubbed the traffic, it is reinjected into your IDC through connections such as Generic Routing Encapsulation (GRE) tunnels and Cross Connects. This process relies on Layer 2 or Layer 2.5 forwarding within the OSI model of TCP/IP protocol, preventing the scrubbed traffic from being routed back to the scrubbing center after being released on the Internet.

    • Mitigation reports

      Comprehensive logs and statistics are provided for all detected and mitigated attack traffic, including pre-attack and post-scrubbing traffic data, and attack magnitude. These insights help you understand network traffic conditions more effectively.

    Diversion modes

    There are two diversion modes: On-demand mode and Always-on mode.

    image

    On-demand

    In On-demand mode, traffic is rerouted to the scrubbing center only when a DDoS attack occurs and Anti-DDoS Diversion is activated. However, there may be a short delay between attack detection and the activation, during which your service could experience interruptions. This mode is ideal for businesses that experience occasional attacks.

    On-demand mode offers two Anti-DDoS Diversion instances based on the number of mitigation sessions:

    • Insurance (two sessions per month): Provides two Mitigation sessions per month. After exhausting the sessions, you can contact Alibaba Cloud technical support to switch to Unlimited mode for access to unlimited sessions.

    • Unlimited (unlimited sessions): Offers unlimited mitigation sessions each month.

    There are two methods to initiate Anti-DDoS Diversion:

    • Manual: The IDC O&M team can manually start or stop diversion through the traffic security console. This method is suitable for scenarios where precise control over the diversion process is necessary, and the O&M team is capable of real-time monitoring and immediate response.

    • Automatic: Diversion is triggered automatically based on preset thresholds, enabling a rapid response to attacks and reducing any delays or errors associated with manual intervention.

    Always-on

    In Always-on mode, all traffic is continuously routed to the scrubbing center, ensuring immediate protection against attacks at all times. This mode incurs slight latency of your business due to additional processing of traffic, but provides unlimited mitigation sessions. It is slightly costlier than On-demand mode but best suited for businesses that are frequently under attacks.

    How it works

    The following example explains how the On-demand mode works when using GRE tunnels to reinject traffic:

    1. Set up a GRE tunnel and establish a BGP peering relationship between the virtual border router (VBR) of IDC and Alibaba Cloud traffic scrubbing center.

    2. Upon detecting a DDoS attack, the IDC O&M team or the configured Anti-DDoS Diversion instance initiates diversion.

    3. Alibaba Cloud traffic scrubbing center advertises the protected CIDR block globally using AS134963.

    4. Inbound traffic is no longer routed to your IDC. Instead, it is redirected to the scrubbing center. This change in the routing path typically takes effect within two to three minutes. Outbound traffic remains unaffected, flowing directly from the IDC server to the ISP.

    5. If inbound traffic still reaches the IDC directly after the diversion is activated, verify the effectiveness of Routing Assets Database (RADB) and Resource Public Key Infrastructure (RPKI). Check whether both your IDC server and the scrubbing center are advertising the same subnet CIDR block in the same format, such as 1.1.XX.XX/24. If so, stop your VBR from advertising the same BGP updates to the ISP as the scrubbing center.

    6. Once the traffic arrives at the scrubbing center, it is filtered based on predefined thresholds. Clean traffic is then forwarded back to the IDC through the established GRE tunnel.

    7. To stop diversion, the scrubbing center will cease advertising your CIDR block. If you previously stopped advertising BGP updates to the ISP, ensure you republish the announcement before discontinuing diversion.

    Difference between Anti-DDoS Diversion and Anti-DDoS Proxy

    Both Anti-DDoS Diversion and Anti-DDoS Proxy can protect IDC servers deployed on-premises or in the cloud. The key differences are as follows:

    • Protection scope:

      Anti-DDoS Diversion: Protects IDC servers against network layer attacks such as ICMP and UDP flood, and transport layer attacks such as TCP SYN flood.

      Anti-DDoS Proxy: In addition to offering protection against network and transport layer attacks, Anti-DDoS Proxy extends its capabilities to safeguard against application layer attacks, such as HTTP/HTTPS floods, offering a more robust and comprehensive security solution.

    • Focus:

      Anti-DDoS Diversion: Primarily focuses on protecting the underlying infrastructure of your network.

      Anti-DDoS Proxy: Designed to shield specific applications or business systems from the attacks.