Community Blog Protect Your Website and Application From DDoS Attack

Protect Your Website and Application From DDoS Attack

Learn how to handle traffic and flood of your website and application, and protect your business from DDoS attack.

Protect Your Website: How to Avoid SMS Traffic Flooding Attacks

One common category of DDoS attack is a SMS flooding attack. An SMS flooding attack occurs when a high volume of cellular SMS messages are sent to saturate and overload the website’s server.

Business is taking off. You are hiring new people, expanding your customer base and you have just bought a new work van to handle the recent spike in orders.

Purchasing the vehicle is a significant investment for your business, including the extra expenditure to brand the vehicle with your company logo.

But all week you’re beaming with delight at the sight of your company’s new vehicle; which doubles as a portable billboard for your company.

However, four days in you wake up to a nasty surprise. Overnight a local graffiti gang has vandalized and tagged the van in three different colors. The news only gets worst when you spot a crude artistic attempt to depict the male genitalia next to your logo. Having just spent a small fortune (from the company’s point of view) to invest in the new vehicle, this was the last thing you needed!

The cyber world is no different when it comes to malicious operators damaging company assets.

Distributed Denial of Service (DDoS) is one particular attack you want to avoid as a law-abiding netizen. DDoS attacks come in various shapes and sizes, and one common category of DDoS attack is a SMS flooding attack. An SMS flooding attack occurs when a high volume of cellular SMS messages are sent to saturate and overload the website’s server.

This leads to slow website server performance, soaring SMS registration verification charges and leaking of customer contact information.

What is a SMS traffic flooding attack?

For many websites, online users must provide their mobile phone number upon registration in order to validate their identity. Normally, users will click a button during the registration process to send a SMS message and a SMS message is sent to verify the user’s mobile phone number. However, if there are no defense policies protecting the SMS interface, attackers can leverage programs to send high frequency requests to the SMS interface.

Screenshot of online sign up form with SMS verification

SMS verification

Related Blogs

Dpath Traffic Isolation Solution for New Retail

Alibaba Dpath, a traffic isolation solution, is developed to provide support for new retail scenarios during the Double 11 Shopping Festival.

During this year's Double Eleven Shopping Festival, technical preparations had to be changed from previous years to support New Retail. The Business Division required that traffic from new retail will enter independent servers and be isolated from other common traffic. Although conceptually straightforward, this poses higher requirements on the stability of new retail systems.

We have proposed a solution known as Dpath (dedicated path) to cope with these new requirements. The general idea of Dpath can be described as follows:

  1. We can choose some apps on the link as needed, and specify some servers from the public cluster as dedicated servers for special traffic. Then we can provide special support for the special traffic.
  2. Common traffic does not enter dedicated servers, but the special traffic can use common servers as needed. If an app on the link, app_x, does not have a dedicated server, then the special traffic and common traffic share all servers of app_x (public cluster). If app_x has dedicated servers, but these servers are unreachable for some reason, then the special traffic can decide whether or not to use the public cluster based on the configured failover policy.
  3. The specified dedicated servers for each application on the entire link form a dedicated channel for special traffic, which is similar to bus lanes.
  4. The existing routing function of our RPC framework is valid on a single call. It will be troublesome to implement routing of the full link based on the routing function of a single call. Therefore we proposed the Dpath solution for traffic isolation on the entire link.

Working Mechanism of the Solution

We'll introduce how Dpath works in three steps:

  1. Select dedicated servers
  2. Identify special traffic
  3. Direct traffic from the link to the corresponding servers

Dedicated Machine Selection

Simply put, the information we need is the machines, apps, and the relation between them in a dedicated environment. Such information is stored in the configuration center in JSON format. A sample are as follows:

"enable": true, 
"envRules": [
        "envName": "newRetail", 
        "failoverPolicy": 0,
        "envAppRules": [
                "appName": "app1", 
                "ips": [ ], 
                "machineGroups": [
                "appName": "app2", 
                "ips": [ ], 
                "machineGroups": [
                "appName": "app3", 
                "ips": [ ], 
                "machineGroups": [
                "appName": "newRetailEntryApp", 
                "ips": [ ], 
                "machineGroups": [

Application Traffic Replication through a Kubernetes Ingress Controller

This document introduces how to replicate application traffic between different Kubernetes clusters of Container Service.

Simulation Test

Generally, when a system is reconstructed or new features are released, we need to run stress tests to evaluate the carrying capacity of the new system in advance. Traditionally, we simulate all kinds of online test data in an offline environment to test the new system. However, this method may not effectively simulate the actual access traffic online, particularly various kinds of abnormal traffic in the simulated normal traffic.

In this case, we can replicate the online application traffic to a specified offline environment to run a simulation test on the new system. In another case, if our online system encounters a performance bottleneck, but we cannot quickly locate the problem, we can also use the traffic replication method to replicate the real application traffic to an offline environment to locate the problem.

Let's see how to replicate application traffic between different Kubernetes clusters of Container Service.

Deploying Basic Applications

Assume that you have applied for two different Kubernetes clusters on the Container Service console. We name them Kubernetes Product Cluster and Kubernetes Stage Cluster.

  1. Deploy an application in the Kubernetes Product Cluster and expose external service access through Ingress.
  2. After application deployment, run the following commands to test the access to the application:

 # Check the Ingress configuration of the application.
  kubectl get ing nginx-ingress
NAME            HOSTS                                                                  ADDRESS         PORTS     AGE
nginx-ingress   nginx.c37bf6b77bded43669ba2fb67448b4146.cn-hangzhou.alicontainer.com   80        8m
  # Test the domain name for accessing the application.
  curl http://nginx.c37bf6b77bded43669ba2fb67448b4146.cn-hangzhou.alicontainer.com
  1. Deploy a same application in the Kubernetes Stage Cluster and expose external service access through Ingress.
  2. After application deployment, run the following commands to test the access to the application:

 # Check the Ingress configuration of the application.
 kubectl get ing nginx-ingress
NAME            HOSTS                                                                 ADDRESS        PORTS     AGE
nginx-ingress   nginx.c41eb6ca34a3e49f7aea63b8bc9e8ad98.cn-beijing.alicontainer.com   80        1m

 # Test the domain name for accessing the application.
 curl http://nginx.c41eb6ca34a3e49f7aea63b8bc9e8ad98.cn-beijing.alicontainer.com

Configure Traffic Replication

Assume that we hope to replicate all access traffic (100%) of the application in the Kubernetes Product Cluster to the corresponding application in the Kubernetes Stage Cluster. That is, we need to replicate and forward all requests for the domain name nginx.c37bf6b77bded43669ba2fb67448b4146.cn-hangzhou.alicontainer.com to the domain name nginx.c41eb6ca34a3e49f7aea63b8bc9e8ad98.cn-beijing.alicontainer.com.

Alibaba Cloud ET Environment Brain Assists in AI-based Flood Control in Zhejiang, China

Discover how Alibaba Cloud assisted Jinhua, a city in Zhejiang province of China, to combat floods using artificial intelligence with ET Environment Brain.
In August 2018, many regions in the northern hemisphere of China were hit by floods, which caused agricultural damage and affected the lives of millions of Chinese citizens. Desperate for a solution, Jinhua, a city in Zhejiang province of China, started tackling this issue by using artificial intelligence (AI) for flood control.

The flood and drought control command center of Jinhua city uses Alibaba Cloud ET Environment Brain to analyze water resources and weather data in the city, which helps to improve the decision-making efficiency during the flood season. According to statistical data, AI provides a much higher speed and accuracy than traditional methods in predicting extreme weather such as heavy rain and typhoon. Through these predictive analyses, cities can then proactively respond to adverse weather, saving precious time on decision-making and logistics for flood control and rescue missions.

As Jinhua is located in a basin-and-hill area in the central part of Zhejiang, this city is subject to small watershed mountain torrents due to the unique terrain. The city often encounters heavy rainfall and floods during the "plum rain" season from May to June every year. Whereas from July to September, Jinhua may suffer from droughts due to the shortage of rainfall, or even unexpected storms brought by typhoons.

Zhu Shenghuo, chief scientist of decision intelligence in Alibaba machine intelligence lab, gives an introduction to the technology: "Based on data of Jinhua flood and drought control command center, the AI algorithm analyzes the real-time high water mark and weather in comparison with historical high water marks and weather in flood periods, to figure out the relations between high water marks of rivers and reservoirs.In addition, AI can predict the flood control conditions of rivers and reservoirs. "

In the past, most flood predictions are made based purely on experience, historical data, and knowledge of professional flood control personnel. However, the growth in Internet of Things (IoT) technology led to the explosive growth of hydrological and meteorological data. Traditional flood control models are unable to process the massive amounts of data because these methods are labor intensive, slow, and have limited computing power. Modern day AI systems such as ET Environment Brain help to address these challenges, allowing cities to make better-informed decisions through accurate predictions.

In the future, the flood control system of Jinhua can not only predict the high water marks and trends of floods, but also assess the economical and sociological effect brought by the floods. This can help Jinhua to make more effective search and rescue plans, and enable automatic dispatching of relief resources and evacuation plans.

Jinhua has started IT-based flood control since as early as 2002. The city has collected a large amount of data about water flow, rain, and disasters, and established multiple database systems, including the real-time water flow database, meteorological database, and historical water flow database. All these lay a solid foundation for data analysis.

Traffic Management with Istio (3): Traffic Comparison Analysis based on Istio

In this article, we will show you how to mirror traffic from production with Istio and use Diffy to compare traffic with your test environment.

Traffic Mirroring

Traffic mirroring, also known as traffic shadowing, provides a powerful way to bring changes to production at the lowest possible risk. The mirror sends a copy of real-time traffic to the mirroring service. Mirrored traffic goes outside of the critical request path of the main services.

In non-production or test environments, trying to access all possible combinations of test cases for a service is unrealistic. In some cases, the work of writing these test cases may not match actual production needs. In the ideal case, you can use real-time production use and traffic to help improve the functional regions you miss in the test environment.

Once we are able to reliably mirror traffic, we can start other valuable tasks. For example, using Diffy, a request traffic comparison tool, we can compare the traffic of the introduced test cluster to the expected behavior of the production cluster. For example, we might want to compare the deviation between the request results and the expected results, or data corruption in the API Protocol, for better compatibility.

In addition, please note:

  1. When the traffic is mirrored to a different service, it occurs outside the critical path of the request.
  2. Ignore response to any mirrored traffic. This traffic is considered to be "instantly forgotten".

Traffic Comparison

Here, by inserting a proxy, you can be responsible for the coordination of such traffic, and it makes an interesting comparison. Diffy is such a proxy tool. Diffy starts a proxy service (listening, for example, on port 8880 ), again, based on the primary and secondary old service addresses set by the user, (the primary and secondary codes are identical and the purpose is to reduce noise interference) and a new candidate service address.

It can also detect noise in the result, and ignore instances of two real-time services by first calling them (for example, timestamps, monotonically increasing counter and other prompts). In summary, it detects and then ignores these parts in the test service.

Diffy also provides a very good page to view the results of the call, and compare the conditions, which can be filtered by particular characteristics It also has a good management console where you can view the metrics and statistics of the comparing call results function.

Creating a Service for Istio Traffic Mirroring

In this task, you first force all traffic to the v1 version of the service. You will then use a rule to mirror a portion of the traffic to the v2 version.

Two versions of the sample service are first deployed.

Docker mirroring httpbin is used to provide common http access requests in the deployment of version 1:

apiVersion: extensions/v1beta1
kind: Deployment
  name: mirrorservice-sample-v1
  replicas: 1
        app: mirrorservice-sample
        version: v1
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: mirrorservice-sample
        command: ["gunicorn", "--access-logfile", "-", "-b", "", "httpbin:app"]
        - containerPort: 8114     

Related Courses

Handle Large Traffic With Load Balancer

In the case of large traffic, often result in slow response to the web server or even stop the service. The key of load balancing lies in "sharing". When large traffic comes, the traffic is distributed to multiple servers to improve the external service capability of the website and avoid the impact of a single point of failure on the website in order to improve the availability of the website. Through this online course, you can understand the concept of load balancing, principles and scenarios, and master Alibaba Cloud Server Load Balancer features and usage.

Protect Your Web Application on Alibaba Cloud

This online course mainly helps you to understand and master the main security risks WEB applications are facing in the cloud, as well as a variety of risk defense solutions and principles. We also introduce you the best protection solutions provided by Alibaba Cloud. With this certification, you can prove that you have the ability to protect Internet application security well in Alibaba Cloud.

Alibaba Cloud Web Application Firewall

Alibaba Cloud WAF is a web application firewall that monitors, filters, and blocks HTTP traffic to and from web applications. Based on the big data capacity of Alibaba Cloud Security, Alibaba Cloud WAF helps to defend against common web attacks such as SQL injections, Cross-site scripting (XSS), web shell, Trojan, and unauthorized access, and to filter out massive HTTP flood requests. It protects web resources from being exposed and guarantees website security and availability.

Related Market Products

Handle Large Traffic with Load Balancer

Increased traffic, often results in a delayed response from web servers or even a halt in service. Load balancing lies in "sharing." When massive traffic is detected, the traffic is distributed to multiple servers to improve the external service capability of the website and avoid the impact of a single point failure.

F5 BIG-IP Virtual Edition - GOOD (PAYG, 1Gbps)

F5's BIG-IP Virtual Edition delivers advanced application acceleration, access, security and traffic management services; ensuring your Alibaba Cloud workloads are fast, available and secure.

Related Documentation

Differences between billed traffic and monitoring traffic


Why is the actual billed network traffic different from the network traffic reported by the logging feature?


The network traffic reported by the logging feature reflects only the network traffic generated at the application layer. The network traffic that occurs at the network layer is 7% to 15% more than the reported network traffic. The extra network traffic may occur because of the following reasons:

  1. TCP/IP packet headers
    HTTP requests are transmitted based on a TCP/IP stack. The maximum transmission unit (MTU) over the Internet is 1,500 bytes, of which the headers inserted by the TCP and IP protocols occupy 40 bytes. The headers are inserted into each packet by the system kernel based on the underlying protocols in the TCP/IP stack. The size of the headers is not captured at the application layer, and is not reflected in the logging feature. This leads to an estimated 3% of outbound data that is untracked. This estimate is based on the following calculation: 40/(1,500 - 40) = 2.74%.
  2. TCP retransmission
    Depending on the physical network conditions of the Internet, about 3% to 10% of packets may be lost during transmission. The corresponding servers resend the packets that have been discarded during transmission over the Internet. The system kernel and the underlying protocols in the TCP/IP protocol stack process the retransmission and consume some network traffic. This consumption is excluded from the statistics collected at the application layer. The proportion between the network traffic for retransmission and the log statistics result varies, depending on the network conditions. For example, the proportion is lower at off-peak hours in the morning than that at peak hours in the evening. In most cases, the proportion is from 3% to 7%.

How to charge for traffic

How to charge for traffic

  1. A pay-by-traffic data plan offers a monthly data transfer. Traffic included in the traffic package is free of charge. Traffic that exceeds the traffic package is charged based on the amount that you use.
  2. Only outbound traffic is counted as used traffic, and this includes monthly traffic package and the traffic that exceeds the quota of the traffic package. Inbound traffic is not counted.
  3. In the same Virtual Private Cloud (VPC) network, traffic between Simple Application Server instances is free of charge. You are charged for the Internet traffic between Simple Application Server instances and other Alibaba Cloud services.

Traffic packages

Simple Application Server offers free monthly traffic packages. A traffic package is dedicated to a single instance. In most cases, the quota of a traffic package can meet data transmission requirements. A traffic package is reset on the first day of each month. After the traffic package is reset, the amount of used traffic will start from zero.

Note: Notifications will be sent to customers when the amount of traffic used in a package exceeds 50%, 80%, and 95%.

Related Products


A comprehensive DDoS protection for enterprise to intelligently defend sophisticated DDoS attacks, reduce business loss risks, and mitigate potential security threats.

Web Application Firewall

Web Application Firewall (WAF) protects your website servers against intrusions. Our service detects and blocks malicious traffic directed to your websites and applications. WAF secures your core business data and prevents server malfunctions caused by malicious activities and attacks.

0 0 0
Share on

Alibaba Clouder

2,600 posts | 754 followers

You may also like