After you add your service to Anti-DDoS Pro or Anti-DDoS Premium, if attack traffic is not scrubbed and directly targets the origin server, the IP address of the origin server may have been exposed. In this case, you must change the IP address of the origin server.
Check for risks that cause IP address exposure
- Check whether the origin server contains security risks, such as trojans and backdoors.
We recommend that you use Alibaba Cloud Security Center to check and fix security vulnerabilities. For more information, see What is Security Center?.
- Check whether the origin server runs services that are not added to Anti-DDoS Pro
or Anti-DDoS Premium. For example, you have added MX records to configure an email
server or other DNS records to configure a BBS website for the origin server.
Notice Make sure that no DNS records map a domain name to the IP address of the origin server.
- Check whether the source code of the website is exposed. For example, the
phpinfo()function may contain the IP address of the origin server. - Check whether the origin server encounters malicious scanning. You can allow inbound traffic only from the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to access the origin server. For more information, see Configure ACLs for the origin server.
Change the IP address of the origin server
After you eliminate all risks that may cause the exposure, you can change the IP address of the origin server. For more information, see Change the public IP address of an ECS origin server.
If you do not want to change the IP address or the new IP address is also exposed, we recommend that you deploy an SLB instance to connect the ECS instance. For more information, see Quick Start of SLB. You can adopt the following network architecture: Client > Anti-DDoS Pro or Anti-DDoS Premium > SLB instance > ECS instance.