All Products
Search
Document Center

Anti-DDoS:Configure the near-origin traffic diversion feature

Last Updated:Apr 01, 2024

The near-origin traffic diversion feature can block network traffic that is transmitted from regions outside the Chinese mainland over China Telecom or China Unicom lines. This feature discards network traffic from specific regions based on the location of the attack source. This reduces the possibility of blackhole filtering from being triggered for an Anti-DDoS Proxy (Chinese Mainland) instance. Each Alibaba Cloud account can enable this feature up to 10 times and disable the feature at any time. This topic describes how to configure the near-origin traffic diversion feature.

Scenario

If your Anti-DDoS Proxy (Chinese Mainland) instance is under volumetric attacks that are about to exceed the mitigation capability of the instance, we recommend that you enable the feature. For example, if 30% of the attacks are launched from regions outside the Chinese mainland, you can use this feature to block the attacks to reduce the stress on your Anti-DDoS Proxy (Chinese Mainland) instance.

Location blacklist and near-origin traffic diversion

The location blacklist feature blocks requests from specific locations at traffic scrubbing centers. This feature discards blocked requests near the destination servers. This feature can identify and filter requests based on the location of the source IP addresses. This feature cannot reduce the volume of attack traffic. Therefore, it is suitable for mitigating connection flood attacks. For more information, see Configure the location blacklist.

The near-origin traffic diversion feature discards requests from specific regions based on the attack source location by using core routers in the backbone network of an Internet Service Provider (ISP). This reduces the possibility of blackhole filtering from being triggered for an Anti-DDoS Proxy (Chinese Mainland) instance.

Validity period

You can specify a blocking duration from 15 minutes to 24 hours.

Limits

  • The near-origin traffic diversion feature is available only for Anti-DDoS Proxy (Chinese Mainland).

  • Each Alibaba Cloud account can implement traffic diversion up to 10 times. Each time you enable this feature, the remaining quota is deducted by one.

Prerequisites

An Anti-DDoS Proxy (Chinese Mainland) instance is purchased. For more information, see Purchase an Anti-DDoS Proxy instance.

Procedure

  1. Log on to the Anti-DDoS Proxy console.

  2. In the top navigation bar, select Chinese Mainland.

  3. In the left-side navigation pane, choose Mitigation Settings > General Policies.

  4. On the Protection for Infrastructure tab, select the instance that you want to manage from the list on the left side.

    Note

    You can search for an instance by instance ID or description.

  5. In the Near-origin Traffic Diversion section, perform the following operations based on your business requirements.近源流量压制

    • Block network traffic that is transmitted from regions outside the Chinese mainland through China Telecom lines: Click Actions to the right of China Telecom (Outside China). In the dialog box that appears, configure Blocking Duration and click OK.

    • Block network traffic that is transmitted from regions outside the Chinese mainland through China Unicom lines: Click Actions to the right of China Unicom (Outside China). In the dialog box that appears, configure Blocking Duration and click OK.

    Note

    We recommend that you block network traffic that is transmitted from regions outside the Chinese mainland through China Telecom lines and monitor the changes in the volume of attack traffic. If the volume of attack traffic is about to exceed the mitigation capability of the instance, block the network traffic that is transmitted from regions outside the Chinese mainland through China Unicom lines.

    You can click View Blocking Information to view the blocked regions and blocking periods. To unblock the network traffic before the blocking period ends, click Unblock.

Result

If traffic diversion fails, an error message appears. Follow the instructions to troubleshoot the error and try again. If no message appears, traffic diversion is successful.