This topic describes the best practices to use an on-demand Anti-DDoS Origin instance to automatically protect your assets against heavy DDoS attacks. If an attack occurs, you can call API operations to enable automatic protection.
- An Anti-DDoS Origin Enterprise instance is purchased. For more information, see Purchase an Anti-DDoS Origin Enterprise instance.
- An on-demand Anti-DDoS Origin instance is enabled. To do so, you must contact the sales personnel.
- Alert contacts and alert groups are created in Cloud Monitor. For more information, see Create an alert contact or alert group.
- The service traffic is normal, or a small-scale attack occurs: The traffic is forwarded to the local scrubbing center of Anti-DDoS Origin. The service latency does not increase.
- A DDoS attack occurs: The scrubbing centers distributed across the world declare routes to forward and scrub the traffic. The service latency slightly increases, but the protection capability can reach a Tbit/s level.
<Parameter description>format. For example, specify the ID of the on-demand Anti-DDoS Origin instance in
You must replace
<Parameter description> with the actual parameter value. For example, contact the sales personnel to obtain
the ID of your on-demand Anti-DDoS Origin instance and replace
<yourOnDemandInstanceId> with the ID.
- Configure an alert rule in Cloud Monitor to monitor blackhole filtering and traffic
scrubbing events in the local scrubbing center of Anti-DDoS Origin.
The created alert rule automatically takes effect. If the Anti-DDoS Origin instance detects a DDoS attack, contacts in the alert group receive a notification. You can view and manage event alert rules in the list. For more information, see Create an event-triggered alert rule.
- Log on to the Cloud Monitor console.
- In the left-side navigation pane, choose .
- Click the Event Alarm tab.
- On the Event Alarm tab, click Create Event Alert.
- In the Create / Modify Event Alert pane, configure the following alert parameters.
Parameter Description Alarm Rule Name Enter the name of the alert rule. For example, enter Alert for DDoS attacks of Anti-DDoS Origin. Event Type Select System Event. Product Type Select Anti-DDoS Advanced. Event Level Select All Levels. Event Name Select ddosbgp_event_blackhole and ddosbgp_event_clean. Resource Range Select All Resources. Alarm Notification Select Alarm Notification. Then, specify Contact Group and Notification Method.
- Click OK.
- If a DDoS attack occurs, the contacts receive a notification of the blackhole filtering
or traffic scrubbing event. In this case, call the ModifyOnDemaondDefenseStatus API operation to redirect traffic to the global anycast scrubbing centers of Alibaba
Cloud.You must specify the following request parameters:
? Action=ModifyOnDemaondDefenseStatus &DdosRegionId=<yourInstanceRegionId> &DefenseStatus=Defense &InstanceId=<yourOnDemandInstanceId>
- Optional:Disable blackhole filtering in the on-demand Anti-DDoS Origin instance.
- If blackhole filtering is not triggered, skip this step.
- If blackhole filtering is triggered, call the DeleteBlackhole API operation to disable it 10 seconds after you enable traffic redirection.
You must specify the following request parameters:
? Action=DeleteBlackhole &InstanceId=<yourOnDemandInstanceId> &Ip=<yourOnDemandInstanceIp>
- Call the DescribeTopTraffic API operation to check whether the DDoS attack stops.You must specify the following request parameters:
? Action=DescribeTopTraffic &Ipnet=<onDemandInstanceIpnetToQuery> &InstanceId=<yourOnDemandInstanceId> &StartTime=<startTimeToQuery> &EndTime=<endTimeToQuery>
If the value of the AttackBps parameter returned by the API operation is smaller than 300000 for more than 30 minutes, the DDoS attack stops. This parameter indicates the volume of attack traffic, in Kbit/s.
- After the DDoS attack stops, call the ModifyOnDemaondDefenseStatus API operation during off-peak hours to stop traffic redirection in the on-demand
Anti-DDoS Origin instance.Note We recommend that you call this API operation during off-peak hours to minimize service impact caused by traffic switching.
? Action=ModifyOnDemaondDefenseStatus &DdosRegionId=<yourDdosRegionId> &DefenseStatus=UnDefense &InstanceId=<yourOnDemandInstanceId>