OSS sandbox mechanism, preventive measures and solutions - Object Storage Service

When your Object Storage Service (OSS) bucket is under attack or is used to distribute illegal content, OSS automatically moves the bucket to the sandbox. The buckets that are in the sandbox can still respond to requests, but service degradation may occur. In this case, network availability may be affected, and a request timeout error is returned. After OSS automatically moves the bucket to the sandbox, your application may be aware of the operation.

Usage notes

If your bucket is under attack, OSS automatically moves the bucket to the sandbox. In this case, you must pay the costs that result from the attack.
If your user uses your bucket to distribute illegal content that involves pornography and terrorism, OSS also moves the bucket to the sandbox. Users are held liable for violations of the law.

Preventive measures against attacks

To prevent your bucket from being moved to the sandbox due to attacks such as DDoS attacks and Challenge Collapsar (CC) attacks, you can configure OSS DDoS protection for the bucket. You can also configure a reverse proxy by using an Elastic Compute Service (ECS) instance to access the bucket and configure an Anti-DDoS Proxy instance for the ECS instance. The following table describes the advantages and disadvantages of the two solutions.

Solution	Description	Advantage	Disadvantage
Solution 1: Configure OSS DDoS protection	OSS DDoS protection is a proxy-based attack mitigation service that integrates OSS with Anti-DDoS Proxy. When a bucket for which OSS DDoS protection is enabled suffers a DDoS attack, OSS DDoS protection diverts incoming traffic to an Anti-DDoS Proxy instance for scrubbing and then redirects normal traffic to the bucket. This ensures business continuity in the event of DDoS attacks.	Diversified scenarios: You can use this solution to protect bucket domain names and the custom domain name that is mapped to the bucket. Low costs: You are charged for OSS DDoS protection based on the number of Anti-DDoS Proxy instances that you configure for your bucket, the traffic that is protected by these instances, and the number of API requests sent to your bucket. For more information, see OSS DDoS protection fees. Simple configurations: You can configure OSS DDoS protection in the OSS console.	Limited number of protected buckets: You can create only one Anti-DDoS Proxy instance within a region. You can attach each instance to up to 10 buckets that are located in the same region.
Solution 2: Configure a reverse proxy by using an ECS instance to access the bucket and configure an Anti-DDoS Proxy instance for the ECS instance	To ensure data security, the default domain name of a bucket is resolved to a random IP address each time the bucket is accessed. If you want to use a static IP address to access the bucket, you can configure a reverse proxy by using an ECS instance to access the bucket. You can associate the elastic IP address (EIP) of the ECS instance with an Anti-DDoS Proxy instance to protect the bucket from DDoS attacks and CC attacks.	You can use this solution to protect your bucket when you use a static IP address to access OSS.	Complex configurations: You must manually configure an NGINX reverse proxy. High costs: You must purchase an ECS instance to configure an NGINX reverse proxy.

Procedure

Solution 1: Configure OSS DDoS protection
Perform the following steps:
1. Creates an Anti-DDoS Proxy instance.
2. Attach the bucket that you want to protect to the Anti-DDoS Proxy instance.
  After that, the Anti-DDoS Proxy instance starts to protect access to the bucket by using the public endpoint of the bucket.
  OSS DDoS protection can protect access by using only the public endpoints of the buckets, such as oss-cn-hangzhou.aliyuncs.com. OSS DDoS protection cannot protect access by using the following endpoints:
  - OSS-accelerated domain names, including the global OSS-accelerated domain name (oss-accelerate.aliyuncs.com) and the OSS-accelerated domain name of regions outside the Chinese mainland (oss-accelerate-overseas.aliyuncs.com).
  - Access point endpoints, such as ap-01-3b00521f653d2b3223680ec39dbbe2****-ossalias.oss-cn-hangzhou.aliyuncs.com.
  - Object FC Access Point endpoints, such as fc-ap-01-3b00521f653d2b3223680ec39dbbe2****-opapalias.oss-cn-hangzhou.aliyuncs.com).
  - Endpoints accessed over IPv6, such as cn-hangzhou.oss.aliyuncs.com.
  - Amazon Simple Storage Service (S3) endpoints, such as s3.oss-cn-hongkong.aliyuncs.com.
  For more information, see OSS DDoS protection.
Solution 2: Configure a reverse proxy by using an ECS instance to access the bucket and configure an Anti-DDoS Proxy instance for the ECS instance
Perform the following steps:
1. Configure a reverse proxy by using an ECS instance to access your bucket.
  1. Create an ECS instance that runs CentOS or Ubuntu. For more information, see Create an instance on the Custom Launch tab.
    Important
    If the bucket encounters bursts of network traffic or spikes in access requests, you need to upgrade the hardware configurations of ECS or create ECS clusters.
  2. Configure a reverse proxy by using an ECS instance to access the bucket. For more information, see Use an ECS instance that runs CentOS to configure a reverse proxy for access to OSS.
2. Configure an Anti-DDoS Proxy instance.
  1. Purchase an Anti-DDoS Proxy instance based on your business requirements. For more information, visit the buy page of Anti-DDoS Proxy (Outside Chinese Mainland).
  2. Configure an Anti-DDoS Proxy instance. Enter the endpoint of the bucket that you want to protect by using the ECS reverse proxy in Websites. Select Origin IP Address for Server IP and enter the public IP address of the ECS instance in the field. For more information about how to configure other parameters, see Add one or more websites.