To use Anti-DDoS Pro or Anti-DDoS Premium to protect your website, we recommend that you add the back-to-origin IP addresses to the whitelist of the origin server. This ensures that the traffic from Anti-DDoS Pro or Anti-DDoS Premium is not blocked by security software on your origin server.

Background information

If you deploy third-party security software on your origin server, such as a firewall, add the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium to the whitelist of the security software.

Notice After you switch service traffic to Anti-DDoS Pro or Anti-DDoS Premium, the instance scrubs the traffic and uses back-to-origin IP addresses to forward the traffic to the origin server. If the back-to-origin IP addresses are not in the whitelist on your firewall, the traffic from Anti-DDoS Pro or Anti-DDoS Premium may be blocked. This results in a failure to access your website.

If you use Anti-DDoS Pro or Anti-DDoS Premium to protect your website, the inbound traffic is rerouted to Anti-DDoS Pro or Anti-DDoS Premium for scrubbing. Then, Anti-DDoS Pro or Anti-DDoS Premium forwards the normal traffic to the origin server. In the back-to-origin process, network traffic is forwarded to the origin server by an Anti-DDoS Pro or Anti-DDoS Premium instance.

Anti-DDoS Pro and Anti-DDoS Premium function as reverse proxies and support the Full NAT mode.

Before Anti-DDoS Pro or Anti-DDoS Premium is used, the origin server receives requests from the distributed IP addresses of clients. If no attacks are launched against your services, each source IP address sends a small number of requests.

After Anti-DDoS Pro or Anti-DDoS Premium is used, the origin server receives all requests from a limited number of back-to-origin IP addresses. Each IP address forwards a larger number of requests than the client. As a result, the back-to-origin IP addresses may be regarded as malicious. If other DDoS protection policies are configured on the origin server, these back-to-origin IP addresses may be blocked or subject to bandwidth limits.

For example, the most common 502 error indicates that the origin server does not respond to the requests forwarded from back-to-origin IP addresses, and the back-to-origin IP addresses may be blocked by the firewall on the origin server.

Therefore, we recommend that you disable the firewall and other security software on the origin server after you set up forwarding rules. This ensures that the back-to-origin IP addresses of Anti-DDoS Pro or Anti-DDoS Premium are not affected by the protection policies on the origin server. Alternatively, you can perform the following steps to find the back-to-origin IP addresses of Anti-DDoS Pro and Anti-DDoS Premium and add them to the whitelist of the security software on the origin server.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. On the Website Config page, click View Back-To-Source CIDR Blocks in the upper-right corner.
  5. In the Back-To-Source CIDR Block dialog box, copy the back-to-origin IP addresses used by Anti-DDoS Pro or Anti-DDoS Premium.View back-to-origin IP addresses
  6. Add the back-to-origin IP addresses to the whitelist of the security software on your origin server.