All Products
Search

This Product

    Anti-DDoS:Configure Anti-DDoS Diversion

    Document Center

    Anti-DDoS:Configure Anti-DDoS Diversion

    Last Updated:Nov 12, 2024

    To configure Anti-DDoS Diversion for servers in an Internet Data Center (IDC), you need to coordinate with Alibaba Cloud technical support based on your business needs. This topic describes how to configure Anti-DDoS Diversion.

    Step 1: Purchase an Anti-DDoS Diversion instance

    1. Acess Anti-DDoS Diversion Buy Page.

    2. Complete all configurations, review the service agreement, and follow the instructions to finalize your purchase.

      Configuration item

      Description

      Diversion Mode

      • On-demand: Ideal for services under occasional attacks.

      • Always-on: Ideal for services under frequent attacks.

      Mitigation Threshold

      For more information, see Best-effort protection.

      Protection Mode

      • Insurance: Two best-effort protection sessions per month. Resets at the start of each month.

      • Unlimited: Unlimited mitigation sessions per month.

      For more information, see Mitigation sessions.

      Clean Bandwidth

      Normal traffic bandwidth of your service. It is set to 100 Mbit/s by default, with an increment of 100 Mbit/s up to 100,000 Mbit/s.

      C-class IP Addresses

      The number of C-class IP addresses in your IDC servers. It is set to 1 by default, with a maximum of 10,000.

      Data Centers

      The number of IDC servers. It is set to 1 by default, with a maximum of 10.

      Initial Installation Mode

      The initial way to install the diversion infrastructure.

      Quantity

      The quantity is determined by the configuration of your reinjection point.

    3. Contact your pre-sales manager to complete the configuration.

    Step 2: Add CIDR Block to Anti-DDoS Diversion instance

    1. Log on to the Traffic Security console.

    2. Go to the Network Security > Anti-DDoS Origin > Protected Objects page and select Outside Chinese Mainland in the top navigation bar.

    3. Select your Anti-DDoS Diversion instance, then click Reinjection Configurations to create an injection point.

      • Injection type: Configure this after consulting Alibaba Cloud technical support.

      • Injection point: This refers to the location of the traffic scrubbing center from which business traffic is injected. The injection point is typically in the same region as your IDC servers. You can configure one or more injection regions based on your business needs.

    4. Click Add CIDR block for Forwarding to include the Classless Inter-Domain Routing (CIDR) block in the protected object.

      • Add CIDR Block: Enter a CIDR block and a subnet mask. You can enter CIDR blocks ranging from /22 to /28 for non-extended blocks and /16 to /22 for extended blocks.

        Note

        If you want to protect CIDR blocks from /22 to /16, you can expand the subnet and configure Anti-DDoS Diversion for each subnet. Additionally, you can enable or disable protection for a particular subnet as needed.

      • Reinjection Type: Configure this after consulting Alibaba Cloud technical support.

      • Select a reinjection region.

        • Unified Reinjection from All Traffic Scrubbing Centers: Clean traffic is first forwarded to the scrubbing centers located at your configured injection point. The injection point then reroutes the traffic back to your IDC server.

        • Separate Reinjection from Individual Traffic Scrubbing Center: This method is ideal for scenarios where you have IDC servers in multiple locations. Clean traffic is forwarded to the scrubbing centers at each injection point, and then each injection point reroutes the traffic back to the IDC server situated in the same location as the injection point.

    Step 3: Complete Anti-DDoS Diversion configurations

    image

    1. In the Diversion Mode column, you can set the rerouting mode as follows:

      • Manual

        This is the default mode. In this mode, you must manually enable Anti-DDoS Diversion during a DDoS attack and disable it once the attack subsides.

      • Automatic

        Anti-DDoS Diversion activates automatically if the inbound bandwidth or packet rates of your IDCs exceed the set threshold. After selecting this mode, you need to configure the automatic startup rules, shutdown methods, and other relevant parameters.

        Important

        This method is exclusive to IDCs on Alibaba Cloud and is only available under specific protocols. Therefore, you should contact Alibaba Cloud technical support before usage.

        Parameter

        Description

        Policy Name

        The name of the custom policy.

        Traffic Rate

        The threshold of inbound bandwidth, typically double the normal business Mbit/s.

        Unit: megabits per second (Mbit/s)

        Minimum: 100 Mbit/s

        Packet Rate

        The threshold of inbound packets, typically double the normal business Kpps.

        Unit: kilo packets per second (Kpps)

        Minimum: 10 Kpps

        Continuity

        The number of consecutive times the inbound bandwidth or packet rate exceeds the specified threshold to trigger the automatic activation of Anti-DDoS Diversion.

        Stop Mode

        Choose how to stop Anti-DDoS Diversion after it is enabled. Options include:

        • Manual (default): You must manually stop the protection after the attack ends.

        • Automatic: The protection stops automatically at a specified time after the attack ends.

          • Time Zone: Choose the time zone corresponding to the location of your IDC server using the Greenwich Mean Time (GMT) format as GMT-hh:mm. For instance, GMT-08:00 represents the time zone that is 8 hours behind GMT.

          • Stop Time: Specifies when the protection should automatically stop using a 24-hour clock format as hh:mm.

            We recommend that you set the stop time to during off-peak hours. The Alibaba Cloud Anti-DDoS service will automatically stop the diversion at the specified time after detecting the end of the attack.

    2. In the Status column, select Review to request an Alibaba Cloud compliance check on the current CIDR block.

      Upon approval, CIDR blocks can be rerouted. We recommend contacting Alibaba Cloud technical support after making your submission for further assistance.

    3. In the Mitigation Policy column, select a mitigation template.

      Template

      Protection Operations

      Note

      General Policy

      • Filters out malformed packets not adhering to protocol specifications

      • Filters out TCP, UDP, and ICMP packets with clear attack signatures

      • Filters out fragmented packets and packets that are not transmitted over TCP, UDP, or ICMP

      • Verifies specific IP addresses that generate abnormal requests and implements rate limiting on those addresses

      The General Policy offers protection against common DDoS attacks and is well-suited for most services.

      Office Policy

      • Filters out malformed packets not adhering to protocol specifications

      • Filters out TCP, UDP, and ICMP packets with clear attack signatures

      • Filters out fragmented packets

      • Allows packets transmitted over GRE and IPsec

      • Applies loose verification to IP addresses that generate requests

      The Office Policy is tailored for office networks, offering more relaxed outbound access restrictions.

      TCP Game Policy

      • Filters out malformed packets not adhering to protocol specifications

      • Eliminates TCP, UDP, and ICMP packets with clear attack signatures

      • Filters out fragmented packets and packets that are not transmitted over TCP, UDP, or ICMP

      • Verifies specific IP addresses that generate abnormal requests and implements rate limiting on those addresses

      • Strictly verifies UDP packets and limits UDP packets based on the verification results

      For services that rely on TCP, the TCP Game Policy is recommended.

      UDP Game Policy

      • Filters out malformed packets not adhering to protocol specifications

      • Filters out TCP, UDP, and ICMP packets with clear attack signatures

      • Filters out fragmented packets and packets that are not transmitted over TCP, UDP, or ICMP

      • Applies loose verification to UDP packets

      For services that rely on UDP, the UDP Game Policy is recommended.

    Step 4: Start Anti-DDoS Diversion

    On-demand

    • Manual

      When the IDC O&M team detects an attack, click Start Traffic Rerouting in the Actions column. The Traffic Rerouting Status will switch to Traffic Rerouting, which indicates active DDoS protection for the traffic of the protected assets.

      To stop protection, select Pause Rerouting. This will discontinue the DDoS protection for the traffic of the protected assets.

    • Automatic

      On-demand protection automatically activates when the inbound bandwidth or packet rate exceeds the set threshold several times.

    Always-on

    In this mode, inbound traffic is consistently rerouted to the traffic scrubbing center, ensuring protection at all times, regardless of attack status.

    To initiate it, select Start Traffic Rerouting in the Actions column, and the Traffic Rerouting Status will update to Traffic Rerouting, confirming that DDoS protection is in effect for the protected assets.

    Step 5: Verify whether diversion and injection are effective

    Run the traceroute command to verify whether traffic is passing through AS134963, or check the monitoring report to confirm the effectiveness of the diversion protection.

    Additionally, check the Reinjection Status to ensure it displays Normal. If not, contact Alibaba Cloud technical support for assistance.

    Step 6: View protection report

    After the attack is over, click View Monitoring Details or View IDC Attack Analysis in the Actions column to review the attack data.

    Related API operations

    • To configure the advertising of a CIDR block, see ConfigNetStatus.

    • To query Anti-DDoS Diversion instances, see ListInstance.

    • To query the CIDR blocks of an Anti-DDoS Diversion instance, see QueryNetList.