Anti-DDoS Origin can mitigate DDoS attacks for Elastic Compute Service (ECS), Classic Load Balancer (CLB), Web Application Firewall (WAF), and Elastic IP Address (EIP). Anti-DDoS Origin is integrated with the preceding services. You can use Anti-DDoS Origin without the need to change IP addresses. In addition, no limits for Layer 4 ports or Layer 7 domain names are imposed on Anti-DDoS Origin.
Overview
By default, Anti-DDoS Origin Basic is enabled for CLB free of charge. Anti-DDoS Origin Basic provides a maximum bandwidth capacity of 5 Gbit/s. All traffic from the Internet must pass through Alibaba Cloud Security before the traffic reaches a CLB instance. Alibaba Cloud Security scrubs the traffic to mitigate common attacks, such as SYN flood attacks, UDP flood attacks, ACK flood attacks, ICMP flood attacks, DNS flood attacks, and DDoS attacks.
Anti-DDoS Origin adopts passive scrubbing as a major protection policy and active blocking as an auxiliary policy to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance. These technologies allow protected resources to work as expected even under attack. The following figure shows the network topology of Anti-DDoS Origin.
Anti-DDoS Origin Basic specifies thresholds for scrubbing and blackholing based on the bandwidth of Internet-facing CLB instances. When the inbound traffic reaches the threshold, scrubbing or blackholing is triggered:
Scrubbing: When the system detects attacks that match specific models or a large number of attacks from the Internet, Alibaba Cloud Security automatically scrubs the attack traffic through packet filtering, traffic throttling, and packet throttling.
Blackholing: When the system receives a large number of attacks that exceed the threshold, all requests are dropped to ensure security.
The thresholds are calculated based on the following principles:
The threshold is determined based on the outbound bandwidth of a CLB instance. A larger outbound bandwidth value specifies a higher threshold.
The blackholing threshold is determined based on your security credit score.
NoteHowever, your security credit score does not affect the scrubbing threshold.
Calculate the thresholds
You can perform the following steps to calculate thresholds.
CLB provides a recommended threshold based on the bandwidth resources that you purchase for your CLB instances.
NoteIf you purchase a pay-by-data-transfer CLB instance, the outbound bandwidth equals the maximum bandwidth supported by the region where the CLB instance is deployed. All regions in the Chinese mainland support a maximum bandwidth capacity of 5 Gbit/s. For more information, see Maximum bandwidth.
Correlation between the CLB bandwidth and scrubbing threshold (bit/s)
When the CLB bandwidth is less than 100 Mbit/s: Default scrubbing threshold (Mbit/s) = 120
When the CLB bandwidth is greater than 100 Mbit/s: Default scrubbing threshold (Mbit/s) = CLB bandwidth× 1.2
Correlation between the CLB bandwidth and scrubbing threshold (packet/s)
Scrubbing threshold (packet/s) = CLB bandwidth/500 × 150,000
Bandwidth is measured in Mbit/s.
Correlation between the CLB bandwidth and blackholing threshold (bit/s)
When the CLB bandwidth is less than 1 Gbit/s: Default blackholing threshold (Gbit/s) = 2
When the CLB bandwidth is greater than 1 Gbit/s: Default blackholing threshold (Gbit/s) = Max {CLB bandwidth × 1.5, 2}
Alibaba Cloud Security calculates the final thresholds based on the recommended thresholds, security credit score, and resources in each region.
Alibaba Cloud Security uses the following rules to evaluate thresholds (bit/s and packet/s).
The minimum value of the threshold is 1000 in Mbit/s and 300000 in packet/s.
If the threshold calculated by CLB is less than the preceding minimum value, the minimum value prevails.
If the threshold calculated by CLB is greater than the preceding minimum value, the threshold calculated by CLB prevails.
Alibaba Cloud Security determines the blackholing threshold based on your security credit score.
Grant read-only permissions to a RAM user
Perform the following steps to grant a Resource Manage Access (RAM) user the read-only permissions on Anti-DDoS Origin Basic.
You must use your Alibaba Cloud account to grant the read-only permissions to a RAM user.
Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose
.On the Users page, find the RAM user and click Add Permissions in the Actions column.
In the Grant Permission panel, grant permissions to the RAM role.
Select the resource scope.
Account: The authorization takes effect on all resources in the Alibaba Cloud account.
ResourceGroup: The permissions take effect on resources in a specified resource group.
NoteIf you want to select ResourceGroup for the Resource Scope parameter, make sure that the involved cloud services and resources support resource groups. For more information, see Services that work with Resource Group.
Specify the principal.
Select a policy.
Select AliyunYundunDDosFullAccess in the Policy Name column to add the policy to the Selected list. Then, click Grant permissions.
Click Close.
View thresholds
Log on to the CLB console.
In the top navigation bar, select the region where the CLB instance is deployed.
On the Instances page, find the CLB instance, and move the pointer over the Alibaba Cloud Security icon of the CLB instance to view the scrubbing threshold (bit/s and packet/s) and blackholing threshold. For more information, visit the Anti-DDoS console.
Scrubbing threshold (bit/s): When the inbound data per second exceeds this value, scrubbing is triggered.
Scrubbing threshold (packet/s): When the inbound packets per second exceed this value, scrubbing is triggered.
Blackholing threshold: When the inbound data per second exceeds this value, all requests are dropped.