Anti-DDoS:DDoS attack mitigation solutions

System hardening

• Minimize the attack surface

  • Purpose: Reduce entry points for scans and attacks.

  • Action: In the ECS console, find the security group associated with the instance and create security group rules. For more information about security groups, see Create a security group.

  • Example: The following are sample security group rules for a web server:

    • Open only ports 80 and 443 to the Internet.

    • Open remote management ports 22 or 3389 only to specific IP addresses, such as your office network.

    • If a Server Load Balancer (SLB) instance or an Anti-DDoS Proxy instance is deployed in front of the origin server, configure the security group to allow traffic only from the back-to-origin IP address ranges of these products.

• Use a virtual private cloud (VPC)

  • Purpose: Logically isolate your network to prevent attacks from spreading within the internal network.

  • Action: You can use a virtual private cloud (VPC) to create a logically isolated network. This helps prevent attacks from compromised machines within your internal network. For more information, see What is a virtual private cloud (VPC)?.

• Server security hardening

  • Purpose: Improve the server's ability to handle connection-layer attacks and slow down resource exhaustion.

  • Action:

    • System upgrades: Ensure that the operating system and application software are the latest versions. Apply security patches promptly.

    • Access and service control:

      • Review access sources. Shut down unnecessary services and ports. For example, a web server should only have port 80 open.

      • Restrict file sharing from external networks to prevent core files from being tampered with.

    • Network policy optimization:

      • You can configure mitigation policies on the router, such as throttling, packet filtering, dropping spoofed source packets, setting SYN thresholds, and disabling ICMP and UDP broadcasts.

      • You can use software firewalls, such as iptables, to limit new TCP connections from suspected malicious IP addresses. You can also limit the number of connections and the transmission rate from these IP addresses.

      • You can limit the number of SYN half-connections, shorten their timeout period, and rate-limit specific traffic such as SYN and ICMP.

    • Log Monitoring: Closely examine the system logs of network devices and servers to promptly detect vulnerabilities or signs of an attack.

Optimizing business architecture

• Systematic performance evaluation of business architecture

  Before or after service deployment, your technical team should run a performance test on the service architecture. This test assesses the throughput capacity of the current architecture and provides key metrics for DDoS mitigation planning.

• Deploy Server Load Balancer (SLB)

  • Purpose: Increase service throughput and avoid single points of failure by distributing user access traffic evenly across multiple servers. This reduces the pressure on any single server.

  • Action: You can use an SLB instance as the entry point for service traffic and attach multiple ECS servers to the backend. For more information, see Quickly enable load balancing for IPv4 services.

• Provision redundant bandwidth:

  • Purpose: Prevent bandwidth saturation caused by normal traffic bursts or small-scale attacks, which can affect normal users.

  • Action: Assess the daily peak bandwidth of your service. For example, you can obtain the P95 bandwidth value for the last 30 days from Cloud Monitor. Then, you can provision spare capacity, such as 50% to 100% of the peak value, based on your budget.

• Configure Auto Scaling:

  • Purpose: Automatically increase the number of servers to boost processing capacity when an Application-layer attack, such as a CC attack, causes high CPU or memory usage.

    Note

    Auto Scaling is not effective against network-layer attacks. You can set a maximum number of instances to prevent high costs from unlimited scaling during an attack.

  • Action: You can create a scaling group and configure a scaling rule. For example, "Add one ECS instance if the average CPU utilization exceeds 75% for three consecutive minutes." For more information, see What is Auto Scaling?.

• Optimize DNS resolution

  • Purpose: Optimize DNS resolution with smart parsing to effectively avoid the risks of DNS flood attacks.

  • Action:

    • Service redundancy: You can host your services with multiple DNS providers to achieve high availability for DNS resolution.

    • Traffic filtering:

      • You can drop unsolicited DNS responses, queries from unknown sources, and burst requests.

      • You can drop abnormal fast retransmission packets.

    • Access control:

      • You can apply access control lists (ACLs), BCP38 (source address validation), and IP reputation investigation features to restrict malicious sources.

      • You can enable the DNS client validation mechanism.

    • Efficiency optimization:

      • You can configure a reasonable TTL value.

      • You can enable DNS response caching to reduce the load on the source server.

Purchase professional security services (optional)

Set up service monitoring

• Basic Anti-DDoS monitoring:

  • When your service is under a DDoS attack, Anti-DDoS Origin Basic sends alerts by default through text message and email.

    Note

    For more information about how to configure alert message recipients , see Set up alerting for Anti-DDoS Origin Basic and Anti-DDoS Origin attack events.

  • In the Traffic Security console, you can go to the Event Center to check for ongoing attack events, attack types, and traffic peaks.

• Cloud Monitor: The Cloud Monitor service collects metrics for your Alibaba Cloud resources or custom metrics. It detects service availability and lets you set alerts for specific metrics. For more information, see What is Cloud Monitor?.