This topic describes how to integrate Anti-DDoS Origin with Anti-DDoS Pro. The integration provides effective protection for your business data against distributed denial of service (DDoS) attacks without compromising business continuity. To integrate Anti-DDoS Origin with Anti-DDoS Pro, create a scheduling rule for Sec-Traffic Manager of Anti-DDoS Pro.

Background information

Anti-DDoS Origin is a security service that provides protection against DDoS attacks for specific Alibaba Cloud services. These services include Elastic Compute Service (ECS), Server Load Balancer (SLB), Elastic IP Address (EIP), and Web Application Firewall (WAF). Compared with Anti-DDoS Pro, Anti-DDoS Origin attaches protection capabilities to cloud services. You do not need to change the IP addresses of resources that you want to protect. You also do not need to limit the number of Layer 4 ports and the number of Layer 7 domain names for a protection target. Anti-DDoS Origin provides out-of-the-box deployment and elastic protection. If your business encounters large-scale DDoS attacks, Anti-DDoS Origin uses all resources that reside in a region to provide unlimited protection. Anti-DDoS Origin provides protection against DDoS attacks whose bandwidth can be up to hundreds of gigabits per second.

Anti-DDoS Pro provides eight-line bandwidth resources of the Border Gateway Protocol (BGP) type at the terabit level. This is only available for regions inside mainland China. Anti-DDoS Pro provides a protection bandwidth of up to 1.5 Tbit/s. This allows you to defend against volumetric DDoS attacks of the terabit level. Anti-DDoS Pro routes DDoS attack traffic to scrubbing centers based on DNS records. Anti-DDoS Pro provides high-quality BGP bandwidth resources for China Telecom, China Unicom, China Mobile, China Education and Research Network (CERNET), and other Internet service providers (ISPs) inside mainland China with an average latency of about 20 ms.

To enable interaction between Anti-DDoS Origin and Anti-DDoS Pro, you can create a scheduling rule for Sec-Traffic Manager of Anti-DDoS Pro. This rule allows you to use Anti-DDoS Origin for daily protection against low-traffic DDoS attacks and switch traffic over to Anti-DDoS Pro in the event of heavy-traffic DDoS attacks.

Overview

The integration solution allows you to use both Anti-DDoS Origin and Anti-DDoS Pro. The integration solution provides cost controllability, protection for full-scale assets, and transparent deployment without extra latencies from Anti-DDoS Origin as well as protection against volumetric DDoS attacks from Anti-DDoS Pro.

The integration solution allows you to purchase an Anti-DDoS Origin Enterprise instance. This allows you to protect a maximum of 255 IP addresses of a specific region. With unlimited protection, Anti-DDoS Origin Enterprise provides a protection capability that ranges from 100 Gbit/s to 300 Gbit/s based on the region. Besides the protection of Anti-DDoS Origin, you can purchase another Anti-DDoS Pro instance as a backup to defend against DDoS attacks whose bandwidth is greater than 300 Gbit/s. After you create a scheduling rule, all resources are consolidated into Sec-Traffic Manager for centralized management. If a black hole is triggered by Anti-DDoS Origin, Sec-Traffic Manager automatically switches traffic over to Anti-DDoS Pro.

The integration solution provides the following features:
  • Anti-DDoS Origin Enterprise provides multi-region account-level protection without extra latencies. You do not need to change the IP addresses of resources and business structures.
  • Anti-DDoS Origin provides unlimited protection that ranges from 100 Gbit/s to 300 Gbit/s based on the region. Anti-DDoS Pro is used to defend against DDoS attacks whose bandwidth is greater than 300 Gbit/s.
  • If a black hole is triggered, a switchover is automatically performed from Anti-DDoS Origin to Anti-DDoS Pro based on DNS records. A switchover requires 1 to 3 minutes or 5 to 10 minutes to complete based on the response time of local DNS servers.
  • Dedicated circuits are provided for back-to-origin traffic. This eliminates the effect of black holes on traffic.
After you integrate Anti-DDoS Origin with Anti-DDoS Pro, SLB instances, ECS instances, or WAF assets are under the protection of Anti-DDoS Origin Enterprise without extra latencies. If an attack bandwidth exceeds the threshold, a black hole is triggered by Anti-DDoS Origin. In this case, Sec-Traffic Manager switches traffic over to Anti-DDoS Pro, which forwards inbound traffic to a scrubbing center but has a latency of about 20 ms. If the attack stops, inbound traffic is rerouted to SLB instances, ECS instances, or WAF assets, and Anti-DDoS Origin starts to provide protection capabilities.
  • If a switchover is triggered, the process requires 5 to 10 minutes to complete based on the response time of local DNS servers that are deployed inside mainland China.
    Note It requires about 5 to 10 minutes for DNS servers that are deployed inside mainland China to respond. It requires about 1 to 3 minutes for DNS servers that are deployed outside mainland China to respond.
  • If protection is switched over to Anti-DDoS Pro, the black hole triggering threshold is limited to the maximum protection capability of Anti-DDoS Pro. Anti-DDoS Pro provides basic protection of up to 30 Gbit/s and elastic protection of up to 300 Gbit/s. However, you can submit a ticket to upgrade the protection capability to 1 Tbit/s or higher.
  • After protection is switched over to Anti-DDoS Pro, an immediate switchover back to Anti-DDoS Origin will not occur even if the attack stops. You can configure the intervals at which Sec-Traffic Manager performs switchovers. The default interval is 120 minutes (two hours). This configuration allows you to avoid frequent switchovers due to continuous attacks and ensures business continuity.

Activate and configure Anti-DDoS Origin

Create an Anti-DDoS Origin Enterprise instance and add resources to the instance as protection targets. Make sure that these resources and the instance are located in the same region. These resources include ECS instances, SLB instances, Elastic IP addresses, and WAF assets.

Notice
  • If the public IP addresses of resources are used to serve clients, make sure that the network specifications and specified scrubbing threshold that is related to each service meet your business requirements. You can view the scrubbing threshold for each service in the Anti-DDoS Basic console.
  • Before sales promotions, you must estimate the peak bandwidth and inform Alibaba Cloud technical support. This allows you to avoid traffic scrubbing or throttling by mistake and reduces the impact on your business.
  1. Create an Anti-DDoS Origin Enterprise instance. If an instance is available, skip this step.
    1. Log on to the Alibaba Cloud Anti-DDoS console.
    2. On the Manage Instances page, click Purchase Anti-DDoS Origin.
    3. On the Anti-DDoS Origin buy page, specify the required parameters and click Buy Now. The parameters are described as follows:
      • Mitigation Plan: specifies a protection plan. Select Enterprise Edition.
      • Region: specifies a region where the resources that you want to protect reside.
      • Business Scale: specifies the bandwidth of the business that you want to protect.
      Anti-DDoS Origin
      Note For more information, see Purchase an Anti-DDoS Origin Enterprise instance.
    4. Confirm the parameters and complete the payment.
  2. Add a protection target to the Anti-DDoS Origin Enterprise instance.
    1. Log on to the Alibaba Cloud Anti-DDoS console.
    2. On the Manage Instances page, find the target instance and click Add Protected Asset in the Actions column.
    3. In the Add Protected Asset dialog box, enter one or more IP addresses that you want to protect and click OK.
      IP addresses of a protection target
      Note For more information, see Add a protection target.

Configure Anti-DDoS Pro and Sec-Traffic Manager

Create an Anti-DDoS Pro instance of the Professional plan, add a forwarding rule, and create a scheduling rule for Sec-Traffic Manager. After the configuration is complete, inbound traffic is mapped to the CNAME record assigned by Sec-Traffic Manager.

  1. Create an Anti-DDoS Pro instance of the Professional plan. If an instance is available, skip this step.
    1. Log on to the Alibaba Cloud Anti-DDoS Pro console.
    2. In the left-side navigation pane, click Assets and then Instances. On the page that appears, click Purchase Instances in the upper-right corner.
    3. On the Anti-DDoS Pro (Mainland China) buy page, specify the required parameters and click Buy Now. The parameters are described as follows:
      • Mitigation Plan: specifies a protection plan. The value can only be Professional.
      • Basic Protection: specifies basic protection. Select 30Gb.
      • Burstable Protection: specifies burstable protection. Select 300Gb.
      • Clean Bandwidth: specifies a clean bandwidth that you require.
      Anti-DDoS Pro
    4. Confirm the parameters and complete the payment.
  2. Add a domain to the Anti-DDoS Pro instance of the Professional plan.
    1. Log on to the Alibaba Cloud Anti-DDoS Pro console.
    2. In the left-side navigation pane, click Provisioning and then Website Config. The Add Domain page appears.
    3. In the Enter Site Information step, specify the required parameters and click Add. The parameters are described as follows:
      • Function Plan and Instance: specifies a function plan and an instance that you want to use.
      • Domain: specifies the domain name of the website that you want to protect.
      • Server IP: specifies a method for accessing an origin server. Select Origin Server IP.
      Note For more information, see Add a domain.
      Website configuration
      After you add the forwarding rule for a website, you do not need to follow the instructions to modify DNS records.
  3. Create a scheduling rule for Sec-Traffic Manager.
    1. Log on to the Alibaba Cloud Anti-DDoS Pro console.
    2. In the left-side navigation pane, click Provisioning and then Sec-Traffic Manager. On the page that appears, click the Cloud Service Interaction tab. On the General tab, click Create Rule.
    3. In the Create Rule pane, specify the required parameters of a tiered protection rule and click Next. The parameters of the tiered protection rule are described as follows:
      • Interaction Scenario: specifies a scenario. Select Tiered Protection.
      • Anti-DDoS Instance IP: specifies an Anti-DDoS Pro instance. Select the instance that you configure in the domain.
      • Cloud Resource: specifies an origin server.
      Tiered protection
      Note For more information, see Sec-Traffic Manager.
      After you create the rule, you can obtain a CNAME address assigned by Sec-Traffic Manager.CNAME assigned by Sec-Traffic Manager
  4. Update the DNS record of your domain. Specifically, visit the website of your DNS provider to modify DNS resolution and change the mapped CNAME record to the CNAME record assigned by Sec-Traffic Manager.