How to use the CDN or DCDN interaction feature to mitigate DDoS attacks - Anti-DDoS

If your website requires both access acceleration and distributed denial of service (DDoS) mitigation, you can use the Alibaba Cloud CDN (CDN) or Dynamic Content Delivery Network (DCDN) interaction feature. You can use Sec-Traffic Manager to enable intelligent scheduling. If no DDoS attacks occur, the nearest CDN or DCDN node is used to accelerate service access. If DDoS attacks occur, traffic is switched to your Anti-DDoS Proxy instance for scrubbing and only service traffic is forwarded to your origin server to ensure service stability. This topic describes how to configure the CDN or DCDN interaction feature.

Description

If your website requires both access acceleration and DDoS mitigation, Alibaba Cloud provides the following solutions:

Solution 1: (Recommended) Enable the DDoS mitigation feature in DCDN
After you add the domain name of your website to DCDN, you can enable the DDoS mitigation feature with a few clicks. No configurations are required in the Anti-DDoS Proxy console. For more information, see Mitigation settings.
Note
Only DCDN supports the DDoS mitigation feature. If you add the domain name of your website to CDN, you can migrate the domain name to DCDN and use the DDoS mitigation feature. For more information, see Upgrade from Alibaba Cloud CDN to DCDN for your domain name.
Solution 2: Enable the CDN or DCDN interaction feature
This solution is described in this topic. Traffic is switched to your Anti-DDoS Proxy instance for scrubbing and only service traffic is forwarded to the origin server. You must add the domain name of your website to CDN or DCDN and Anti-DDoS Proxy. Then, you must configure an interaction rule in Sec-Traffic Manager of Anti-DDoS Proxy.

After you configure an interaction rule, traffic is switched to your Anti-DDoS Proxy instance for scrubbing and only service traffic is forwarded to the origin server. If you enable the DDoS mitigation feature in DCDN, traffic is switched to your Anti-DDoS Proxy instance for scrubbing and service traffic is forwarded to DCDN. Access acceleration is ensured even when your website is under attack. For more information, see the following figures.

Usage notes

If the service bandwidth of your website exceeds 3 Gbit/s or the queries per second (QPS) exceeds 10,000, contact your account manager for evaluation before you use the CDN or DCDN interaction feature.
If your website is attacked more than three times per week, we recommend that you use only Anti-DDoS Proxy. This prevents frequent traffic switching between CDN or DCDN and Anti-DDoS Proxy from affecting your service.
Anti-DDoS Proxy instances that use IPv4 and IPv6 addresses are supported for the CDN or DCDN interaction feature.
When an attack occurs, the configurations take effect based on the time to live (TTL) of your domain name system (DNS) records after traffic is switched to your instance.
Before you use the CDN or DCDN interaction feature, make sure that your CDN- or DCDN-accelerated domain name is not added to a sandbox. For more information, see Introduction to sandboxes. If your CDN- or DCDN-accelerated domain name is added to a sandbox and you want to configure DDoS mitigation for the domain name and remove the domain name from the sandbox, contact your account manager.

Supported instance types

Anti-DDoS Proxy (Chinese Mainland) instances of the Profession and Advanced mitigation plans and Anti-DDoS Proxy (Outside Chinese Mainland) instances of the Insurance and Unlimited mitigation plans. The instances of the preceding mitigation plans must use the Enhanced function plan.

Prerequisites

The domain name of your website is added to CDN or DCDN. For more information, see Add a domain name for CDN interaction or Add a domain name for DCDN interaction.
An Anti-DDoS Proxy instance is purchased and the domain name of your website is added to the instance. For more information, see Purchase an Anti-DDoS Proxy instance and Add one or more websites.
The Anti-DDoS Proxy instance forwards service traffic as expected. For more information, see Verify the forwarding configurations on your on-premises computer.

Procedure

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Sec-Traffic Manager. On the page that appears, click the CDN/DCDN Interaction tab.
Note
The first time you use the CDN or DCDN interaction feature, click Authorize Now. Then, authorize Anti-DDoS Proxy to access CDN or DCDN as prompted.

Find the domain name that you want to manage and click Create Interaction Rule in the Actions column. In the Create Interaction Rule panel, configure the parameters and click Next. The following table describes the parameters.

Parameter	Description
Anti-DDoS Instance	The instance that you want to use together with CDN or DCDN. Note If the system returns the To enable CDN interaction, you must use an instance of the Enhanced function plan. message, upgrade the instance to the Enhanced function plan as prompted. If the system returns the No instance is selected. message, add the domain name of your website to the instance. For more information, see Add one or more websites.
Resource for Interaction	The resource for interaction is automatically selected. If the domain name of your website is not added to CDN or DCDN, add the domain name to CDN or DCDN as prompted. Then, wait for approximately 10 minutes and configure the interaction rule. For more information, see Add a domain name for CDN interaction or Add a domain name for DCDN interaction.
Access QPS	The minimum QPS threshold. If this threshold is reached, traffic switchover to Anti-DDoS Proxy is triggered. For more information about traffic switchover, see Switch traffic. Note To handle traffic spikes, we recommend that you set this parameter to more than two to three times the historical peak QPS of your website. Do not specify a value that is less than 500 regardless of whether the QPS of your website is low.

Modify the hosts file on your computer to verify the network acceleration rule. This helps avoid incompatibility issues that are caused by inconsistent back-to-origin policies. For more information, see Verify traffic forwarding settings on a local machine.
For example, CDN allows you to change the origin host for back-to-origin requests. However, you cannot use Anti-DDoS Proxy to change the origin host for back-to-origin requests. If you use the CDN interaction feature to retrieve data from an Object Storage Service (OSS) object, service traffic that is forwarded by Anti-DDoS Proxy cannot be identified by OSS. As a result, your service is interrupted.
Visit the website of your DNS provider and change the DNS record to forward traffic to the CNAME of Sec-Traffic Manager. For more information, see Change the CNAME record to redirect traffic to Sec-Traffic Manager.
Note
When you add the domain name of your website to CDN or DCDN, Anti-DDoS Proxy, and an interaction rule, three CNAMEs are generated by CDN or DCDN, Anti-DDoS Proxy, and Sec-Traffic Manager. In this case, you must make sure that the domain name is resolved to the CNAME of Sec-Traffic Manager.

Switch traffic

Traffic can be automatically or manually switched. After an interaction rule is created and if the conditions for a switchover are met, traffic is automatically switched between CDN or DCDN and your instance. You can also manually switch traffic to your instance and then manually switch traffic back to CDN or DCDN based on your business requirements. In most cases, we recommend that you use automatic switchover.

Automatic switchover

Switch type

Condition

Switchover from CDN or DCDN to Anti-DDoS Proxy

If one of the following conditions is met, a switchover is triggered:

The QPS exceeds the threshold for 3 consecutive times within 3 minutes or for more than 6 times within 10 minutes, and traffic on CDN or DCDN does not exceed 10 Gbit/s.
The domain name of your website is added to a sandbox, and traffic on CDN or DCDN does not exceed 10 Gbit/s.

Switchover from Anti-DDoS Proxy to CDN or DCDN

If all of the following conditions are met, a switchover is triggered:

The QPS remains less than 80% of the threshold, and the attack requests remain less than 10% for more than 12 consecutive hours.
Blackhole filtering or traffic scrubbing is not triggered for the IP address of the instance in the last 1 hour.
The domain name of your website is not added to a sandbox.

Important

Traffic can be switched back to CDN or DCDN only in the time range from 08:00 to 23:00.

Manual switchover

Switch type	Description
Switchover from CDN or DCDN to Anti-DDoS Proxy	If traffic scrubbing by your instance is not automatically triggered, you can manually switch traffic to the instance for scrubbing. If traffic spikes but does not meet the conditions for automatic switchover, you can manually switch traffic to the instance to prevent adverse impacts of attacks on your website. Important Traffic can be switched to your instance only if blackhole filtering is not triggered for the IP address of the instance. After you manually switch traffic to your instance, traffic can be automatically switched back to CDN or DCDN if the conditions of automatic switchover are met.
Switchover from Anti-DDoS Proxy to CDN or DCDN	If traffic is switched to your instance due to service traffic spikes, you can manually switch traffic to CDN or DCDN to prevent adverse impacts on your website. Important Before you switch traffic back to CDN or DCDN, make sure that the attacks stop and the domain name is not added to a sandbox.

Related operations

Modify an interaction rule: On the CDN/DCDN Interaction tab, find the domain name that you want to manage and click Edit in the Actions column to modify the Anti-DDoS Instance or Access QPS parameter.
Delete an interaction rule: On the CDN/DCDN Interaction tab, find the domain name that you want to manage and click Delete in the Actions column.
Warning
Before you delete an interaction rule, make sure that the domain name of your service is not mapped to the CNAME provided by Sec-Traffic Manager. Otherwise, access to your service may fail after you delete the rule.

Anti-DDoS:Use the CDN or DCDN interaction feature