All Products
Search
Document Center

Edge Security Acceleration:Mitigation settings

Last Updated:Feb 01, 2024

Accelerated domain names that are under DDoS attack may be added to a sandbox and become unavailable for a period of time. To prevent service interruptions, you can configure DDoS mitigation for domain names that are vulnerable to attacks or mission-critical. This way, Dynamic Content Delivery Network (DCDN) can detect and respond to DDoS attacks promptly and shield the domain names against attacks.

Feature description

image

Normally, traffic is directly forwarded to POPs without passing through Anti-DDoS. If your domain name is under attack, traffic destined for your domain name is diverted to the scrubbing center nearest to users for scrubbing and then only the clean traffic is routed back to DCDN.

Benefits

  • Worldwide protection against DDoS attacks

  • DDoS mitigation capacity of more than 1 Tbit/s

  • Acceleration and security both ensured

  • All-in-one service with intuitive configurations

  • AI-assisted HTTP (Layer 7) flood protection

Limits

  • DDoS mitigation is available only for customers whose clean bandwidth is no more than 10 Gbit/s or peak QPS is below 100,000. The clean bandwidth refers to the bandwidth of all domain names for which DDoS mitigation is enabled at the same time divided by QPS.

    For example, if the peak bandwidth of domain A 1.example.com is 8 Gbit/s and the peak bandwidth of domain B 2.example.com is 3 Gbit/s, only one of the domains can be added for protection. If you enable DDoS mitigation for the two domains at the same time, services may be interrupted. To apply for support for higher bandwidth, submit a ticket.

  • DDoS mitigation is unavailable for the following types of domain names:

Procedure

Enable DDoS mitigation

  1. Log on to the DCDN console.

  2. In the left-side navigation tree, choose DDoS Mitigation > Add Domain Name.

  3. On the Add Domain Name page, click Activate DDoS Mitigation.

  4. On the Anti-DDoS buy page, select an Anti-DDoS edition based on your business requirements.

    Note

    You are charged for all outbound traffic generated for domain names with DDoS mitigation enabled based on the unit prices of outbound traffic and scrubbed traffic. For more information, see Billing of DDoS mitigation.

Configure mitigation rules

  1. On the Add Domain Name page, click Add Domain Name.

  2. In the Add Domain Name dialog box, configure the parameters according to the following table.

    Parameter

    Description

    Protected Domain Names

    The accelerated domain name that you want to protect.

    Health Check

    The URI for health checks on the origin server. To ensure that the route to the Anti-DDoS scrubbing center is accessible (status code 200 is returned) if an attack occurs, enter the URI of the file that you can access in normal circumstances. / represents the root directory of the domain name. Example: /test.json.

    Important
    • DCDN probes the URL that you specified from time to time. If an exception is detected, traffic is forwarded to the scrubbing center and then routed back to DCDN only when the origin server becomes normal.

    • 47.97.249.17 and 47.244.34.181 are used to probe your origin server. If an IP address whitelist is configured for your origin server, add the IP addresses to the whitelist to ensure that probing can work as expected.

    Cleansing Conditions

    • Intelligent Cleansing (recommended): DCDN analyzes and determines when to divert traffic to a scrubbing center. If the attack is small, POPs mitigate the attack to improve acceleration performance. If the attack is large, DCDN diverts traffic to the nearest scrubbing center to filter malicious traffic and therefore ensure security. If you enable intelligent cleansing, intelligent HTTP flood protection (medium protection) and global mitigation policies (medium protection) are automatically enabled.

    • Custom QPS Threshold: This option is suitable for testing. You can specify a QPS threshold to test whether the access route works as expected after the traffic is forwarded to a scrubbing center. When the QPS reaches the threshold that you specified, traffic is diverted to a scrubbing center.

      • Valid values: 2000 to 50000

      • Default value: 20000

  3. Click OK.

Modify DDoS mitigation settings or disable DDoS mitigation

On the Domain Names page, find the domain name for which you want to manage, and click Manage or Disable DDoS Mitigation in the Actions column to modify DDoS mitigation settings or disable DDoS mitigation. The change takes effect immediately.

FAQ

References

  • If DDoS mitigation is not enabled for your domain name, DCDN has the right to add the domain name to a sandbox when an attack occurs and the bandwidth or QPS surges. For more information, see Introduction to sandboxes.

  • For information about DDoS attacks and impacts, see What is a DDoS attack?

  • Anti-DDoS Pro and Anti-DDoS Premium provide the CDN or DCDN interaction feature. For more information, see Use the CDN or DCDN interaction feature.